Close
About
FAQ
Home
Collections
Login
USC Login
Register
0
Selected
Invert selection
Deselect all
Deselect all
Click here to refresh results
Click here to refresh results
USC
/
Digital Library
/
University of Southern California Dissertations and Theses
/
Emerging technology and its impact on security policy
(USC Thesis Other)
Emerging technology and its impact on security policy
PDF
Download
Share
Open document
Flip pages
Contact Us
Contact Us
Copy asset link
Request this asset
Transcript (if available)
Content
Running Head: EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY 1
EMERGING TECHNOLOGY AND ITS IMPACT ON
SECURITY POLICY
by
Matthew Bogaard
A Dissertation Presented to the
FACULTY OF THE USC PRICE SCHOOL OF PUBLIC POLICY
UNIVERSITY OF SOUTHERN CALIFORNIA
In Partial Fulfillment of the
Requirements for the Degree
DOCTOR OF POLICY, PLANNING, AND DEVELOPMENT
August 2017
Copyright 2017 Matthew Bogaard
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 2
Table of Contents
Abstract ..................................................................................................................................7
Chapter 1 - Evolving Technological Landscape ................................................................8
Polycentric Problems .................................................................................................9
Project Objectives ......................................................................................................13
Background ................................................................................................................14
Changing Landscape ......................................................................................14
Key Threats and Risks ...............................................................................................17
Insider Threats ...............................................................................................18
Digital Piracy .................................................................................................18
Radicalization ................................................................................................18
Cyber-Threats ................................................................................................19
Unmanned Aerial Vehicles ............................................................................19
Proposed Responses ...................................................................................................20
Convergence ..................................................................................................20
Big Data Analytics .........................................................................................21
Organizational Networks ...............................................................................22
Policy Implications and Project Summary .................................................................23
Chapter 2 - Protecting Intellectual Property.....................................................................27
Background ................................................................................................................27
The Source of the Challenges ....................................................................................30
Global Implications of Piracy ........................................................................30
Ambiguous Valuation ....................................................................................31
Judicial Precedent ..........................................................................................32
Ease of Duplication ........................................................................................32
Consumer Ambivalence .................................................................................33
Insider Access ................................................................................................34
Contemporary Case Studies .......................................................................................34
Conclusion .................................................................................................................36
Chapter 3 - Contemporary Trends in Security and Policing ...........................................37
Background ................................................................................................................37
Emerging Trends ........................................................................................................38
The Role of Police .........................................................................................38
Dependence on Private Security ....................................................................41
Policy Trends .................................................................................................43
Conclusion .................................................................................................................47
Chapter 4 - Insider Threats ................................................................................................48
Background ................................................................................................................48
Technology’s Impact on Insider Threats ...................................................................50
Outsourcing ....................................................................................................50
Cultural Differences .......................................................................................51
Social Media Use ...........................................................................................51
Mobile Devices ..................................................................................52
Global Travel .....................................................................................52
Types of Attackers .....................................................................................................53
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 3
Criminal .........................................................................................................53
Unethical ........................................................................................................54
Reckless .........................................................................................................54
Careless ..........................................................................................................54
Profiling the Attacker .................................................................................................54
Minimal Technical Expertise .........................................................................56
No “Typical” Position Within the Organization ............................................56
Intellectual Property is the Likely Target ......................................................56
Financially Motivated ....................................................................................57
Misjudging the Consequences .......................................................................57
Leakage ..........................................................................................................58
Anger..............................................................................................................58
External Indications .......................................................................................59
Sabotage .........................................................................................................59
Apprehending Attackers ............................................................................................60
Mitigation Strategies ..................................................................................................61
Establish Formal Protocols ............................................................................62
Operational Impact.....................................................................................................65
Conclusion .................................................................................................................66
Chapter 5 - Digital Piracy ...................................................................................................68
Background ................................................................................................................69
Traditional Piracy to Digital Piracy: What has changed? .........................................70
Globalization ..................................................................................................70
Transnational Organized Crime .....................................................................71
Enforcement Challenges ................................................................................71
Network Dependence .....................................................................................72
Decreasing Reproduction Costs .....................................................................73
Counterfeiting ................................................................................................73
Case Study: Movies ...................................................................................................74
Physical Theft ................................................................................................75
Camcording ....................................................................................................75
Unlawful Duplication.....................................................................................76
Unauthorized Web Distribution .....................................................................76
Industry Strategies to Reduce Piracy .........................................................................77
Conclusion .................................................................................................................79
Chapter 6 - Online Radicalization ......................................................................................82
Background ................................................................................................................83
Technology’s Role in Radicalization .........................................................................84
New Tools ......................................................................................................84
Advancement of Internet Capabilities ...........................................................85
Shift from Institutional Meetings ...................................................................88
Interactive Institutions ...................................................................................88
Stages of Radicalization .............................................................................................89
Mechanisms of Online Radicalization .......................................................................91
Mortality Salience ..........................................................................................92
Moral Outrage ................................................................................................92
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 4
Extremist Forums ...........................................................................................92
Online Disinhibition.......................................................................................93
Mobilization Through Role Playing ..............................................................94
Link into Terror Structures ............................................................................94
Countering Online Radicalization in the United States .............................................95
Reducing the Supply ......................................................................................95
Reducing the Demand ....................................................................................96
Exploiting the Internet ...................................................................................99
Conclusion .................................................................................................................100
Chapter 7 – Cyber Threats in the Information Age .........................................................103
Background ................................................................................................................104
Characteristics of the Internet ....................................................................................105
Network Attacks ........................................................................................................107
Threats Due to Interconnectedness ................................................................110
Modern Living ...................................................................................110
Health/Medical Sector .......................................................................110
Financial Markets...............................................................................110
Transportation Industry ......................................................................111
Utilities Sector ...................................................................................111
Case Study: Asymmetric Warfare ............................................................................111
Common Cyber-Attacks ............................................................................................113
Zombie ...........................................................................................................113
Botnet .............................................................................................................114
Trojan Horse ..................................................................................................114
Logic Bomb ...................................................................................................114
Virus ...............................................................................................................115
Worm .............................................................................................................115
Case Study: Attacks on the Supply Chain Process ....................................................116
Scenario 1: Weapons Trafficking in Maritime Containers ...........................116
Scenario 2: Pharmaceutical Sabotage ...........................................................117
Scenario 3: Cargo Theft ................................................................................117
Notable Technology Based Incidents ........................................................................118
Spanair’s Plane Crash ....................................................................................118
Stuxnet Computer Worm ...............................................................................119
Russian Invasion of Georgia ..........................................................................120
Conclusion .................................................................................................................120
Chapter 8 - Unmanned Aerial Vehicles .............................................................................123
Background ................................................................................................................124
Advantages of Drones ................................................................................................126
Expanding Use of Drones ..........................................................................................127
Military Use ..................................................................................................127
Police Use .....................................................................................................127
Public and Civilian Use ................................................................................128
Art ......................................................................................................129
Mapping .............................................................................................129
Public Safety ......................................................................................130
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 5
Monitoring Environmental Conditions ..............................................130
Humanitarian and Development Aid .................................................130
Journalism / Media .............................................................................131
Accountability and Compliance .........................................................131
Security Implications .................................................................................................131
Privacy ...........................................................................................................132
Oversight ........................................................................................................133
Safety .............................................................................................................134
Guidelines for Drone Use ..........................................................................................134
Alternatives ....................................................................................................135
Physical and Material Security ......................................................................135
Public Interest and Accountability .................................................................135
Privacy (individual and collective) ................................................................136
Conclusion .................................................................................................................136
Chapter 9 - The Security-Privacy Dilemma ......................................................................138
Background ................................................................................................................139
Fear, Technology, and Privacy ..................................................................................140
Data Mining ...................................................................................................141
Rise of Surveillance Oriented Security Technology ......................................143
Geolocation Tracking.....................................................................................145
Role of IT Stakeholders in Policy and Ethics ................................................147
Factors to Consider for Policymakers ........................................................................149
Conclusion .................................................................................................................151
Chapter 10 - Potential Responses .......................................................................................153
Convergence ..............................................................................................................154
Social and Technological Changes ................................................................156
Interconnectedness .............................................................................156
Digitization ........................................................................................158
Benefits of Convergence ................................................................................158
Enterprise Risk Management .............................................................159
Optimize Business Processes .............................................................160
Leverage Technology.........................................................................160
Enhance Crisis Response Capabilities ...............................................160
Raise Awareness ................................................................................161
Barriers to Convergence ................................................................................162
Different Careers Paths ......................................................................162
Experience Levels ..............................................................................162
Technical Expertise ............................................................................163
Salary Differential ..............................................................................163
Budget Allocation Conflict ................................................................163
Big Data Analytics .....................................................................................................164
Technological Change ...................................................................................165
Response Strategies .......................................................................................165
Risk Assessments ...............................................................................166
Simulations ........................................................................................168
Data Aggregation Tools .....................................................................169
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 6
Software-based Automation...............................................................173
Organizational Collaboration .....................................................................................175
Forming Networks .........................................................................................177
Fusion Centers ...................................................................................178
Task Forces ........................................................................................179
Barriers to Collaboration................................................................................180
Technology’s Impact on Community Relations ................................181
Inter-Agency Challenges ...................................................................181
Threats to Economic Stability ............................................................182
Power Struggles .................................................................................182
Reluctance to Change ........................................................................183
Conclusion .................................................................................................................184
Chapter 11 - Future of Security Policy ..............................................................................186
Implementation Barriers ............................................................................................186
Evolving Nature of Technology.....................................................................186
Lagging Legal Framework .............................................................................187
General Lack of Clarity and Ownership ........................................................187
Stakeholder Conflict ......................................................................................188
Extreme Global Uncertainty ..........................................................................188
Recommendations ......................................................................................................189
Insider Threats ...............................................................................................189
Digital Piracy .................................................................................................190
Online Radicalization.....................................................................................191
Cyber-Threats ................................................................................................192
Unmanned Aerial Vehicles ............................................................................193
Research Limitations and Final Lessons....................................................................193
References .............................................................................................................................197
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 7
Abstract
For a number of reasons, concerns surrounding security and safety have intensified. Contributing
to such increased visibility and awareness are factors such as global terrorism, civil unrest in
multiple locations around the world, and increasing examples of violent attacks both domestic and
abroad. We are living in a transformative era of security policy and risk analysis. The common
thread fueling this transformation is emerging technology. Technological growth has been rapid,
risks are dynamic, and responses to this new condition are predominantly reactive instead of
proactive. An increasingly interconnected world from a social, political, and economic perspective
has created unintended consequences. New tools developed for growth and development are
creating dangerous vulnerability. Emerging technology has created expansive opportunities for
growth and innovation while simultaneously creating opportunities for malicious or illegal
activities directly associated with that growth. Crimes which leverage new technology are more
complicated, more nuanced, and more challenging. Indeed, many of today’s crimes are not new
but technology has forced us to rethink our approach. Traditional policies to reduce transnational
crime, to manage global risk, and to instill a sense of safety and security are no longer adequate,
some obsolete. Proposed solutions involve the convergence of information and physical security
domains, leveraging the most advanced big data analytics, and cultivating organizational networks.
Technology is paradoxically creating new opportunities for criminal activity and simultaneous
being used monitor citizens for crime prevention. Given this transformation, the thoughtful
balancing of security and privacy will be instrumental as surveillance, tracking, and monitoring
could jeopardize individual security, albeit with the best of intentions for collective safety in
society.
Keywords: security, policy, technology, risk, computers, globalization, terrorism
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 8
Chapter 1 - Evolving Technological Landscape
Recent pivotal events in our country’s history have illuminated the breadth and depth of
security challenges. The terrorist events of 9-11, the Sony network hack, and other notable acts
of domestic terrorism by American citizens apparently radicalized in the United States have
created a need for broader security and risk management. Conventional security policy based on
fences, cameras, and guards is no longer suitable for such an environment (Egli, 2013). Threats
and risks are pervasive and solutions are fleeting. Emerging technology has become more
commonly used vernacular which defines technologies that are either brand new, in
development, or projected within the next few years. This technology is the single common
denominator that inextricably links fundamental theories of security policy. “The Internet, as a
global medium, has the potential to reach an unlimited number of people instantaneously, with
minimum expenses, and with no restrictions in terms of time and geographical limits” (Lucchi,
2006, pg. 33).
An expanding set of global risks coupled with emerging technology pose unique
challenges for security leaders responsible for keeping companies and employees safe. As
security challenges become broader and more diverse, policies must be crafted to address
contemporary challenges in this dynamic environment. Traditional approaches will no longer be
effective. Government leaders and private sector experts must focus on a visionary approach to
security policy. New security policy must be adaptive and creative to combat complex criminal
schemes which leverage new technology. The need to develop new security protocols has
national and international implications.
Policy leaders need to be aware of the rapidly changing landscape. Leaders in this space
must create policy that mirrors real threats and phases out ineffective programs. Piracy is a
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 9
global problem with security, safety, and financial implications. Insider threats to a company’s
source code, proprietary data, or valuable intellectual property generate risks today that have not
previously existed. The widespread and growing use of and dependence on social media for both
personal and business-related functions underscore a new vulnerability as information gets
transferred at lightning speeds. Global terrorism, previously only a concern in a limited number
of countries and isolated regions of the world, now has no borders. The Internet allows for the
cohesive and organized recruitment of new supporters and sympathizers who are at risk to act on
their beliefs domestically in the form of homegrown violent extremism (Southers, 2014). As this
occurs, companies need to adapt, pivot strategically, and re-tool their security and risk strategies.
If security becomes inherent in the corporate culture, then there will be not only a greater
focus on risk analysis, but also on opportunities to scale back security to improve efficiency.
The strategic reduction or elimination of ineffective policies can allow for new business models
– that is, a strategy to achieve long-term strength as an organization. This new corporate
philosophy of security must emphasize legitimate risks and opportunities. It must be adaptive
and flexible. Security should become woven into the fabric of the culture of an organization, not
simply a compartmentalized division or group.
Security challenges of today require multi-disciplinary groups to work closely with a
diverse set of stakeholders, many of whom have conflicting priorities. Sometimes the entities
that need to work together to combat these challenges operate in different states, regions, or even
countries. To better understand the underlying characteristics and root causes of this challenge,
it is helpful to frame it more broadly as a polycentric problem.
Polycentric Problems
A polycentric problem is one which is multifaceted and complex, requiring a systematic
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 10
and comprehensive strategy to solve. It is one that is deeply rooted in institutional norms,
bureaucracy, and procedures that make it difficult, if not impossible, to solve with small,
individualized approaches. Polycentric connotes many centers of decision making that are
formally independent of each other and their cooperative undertakings are central to resolving
conflicts (Ostrom, 2010). Solutions depend on collaborative efforts of stakeholders. To better
understand polycentric problems and how they are related to security policy, we turn to two
social problems which both require comprehensive and refined approaches. Those contemporary
examples are prison overcrowding and water shortage.
The first example of a polycentric problem is the current state of affairs with the state’s
prison system – the California Department of Corrections and Rehabilitation (CDCR). Having
been critically reviewed by the courts multiple times in the past decade, California’s prisons are
multi-faceted and layered. They are in a dire situation facing budget restrictions, overcrowding,
deteriorating facilities, poorly trained personnel, inadequate health care, preventable deaths, poor
data management, and frequent accusations of abuse by guard staff. CDCR, as a result of
ongoing legal challenges, has been forced to release many prisoners early. Some law
enforcement groups associate this early release program with increased crime. The practices of
prison management and operations are often shielded or obscured from public oversight; their
norms are deeply entrenched in tradition and centralized control. CDCR has made some changes
and improvements at the urging of the court but as polycentric implies, all of the problems are
linked and must be addressed with a broad and integrated strategy. A successful strategy
frequently demands the work of multiple stakeholders who are engaged and committed. Those
stakeholders include prison leadership, the CDCR, the Governor’s Office, victim’s advocate
groups, and prison reform non-profits. The coordination of multiple entities to solve
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 11
complicated problems has inherent challenges. Previously separate and seemingly unrelated
domains now must be bridged and blended.
The second example of a polycentric problem is water management. Water shortage
challenges have dated back many years. Freshwater is a prerequisite for human well-being for
drinking water, sanitation, health, food safety, energy supply, industrial processes, transportation,
and recreation. The policy implications and management decisions cross national borders and
traverse regions of the world. There are many reasons for water shortages, among them climate
change, overpopulation, misuse and mismanagement. The problems with water management are
multi-faceted and require a comprehensive strategy to solve. There is increasing pressure to
create water management policies that are horizontally integrated and sustainable. However,
many of the policies are deeply rooted in tradition and drawn from institutional norms. The
agriculture industry, being the largest consumer of water, is a powerful political lobby and they
have numerous reasons to be closely involved in the policy discussions. As the global demand
for water increases, supply decreases, and public discourse becomes more prominent, no clear
global governance framework has emerged (Pahl-Wostl, 2008).
The primary stakeholders –researchers, scientists, and environmentalists– agree that
adaptive and integrative water policies are vital to long-term success and sustainability. The
polycentric nature of this challenge occurs when the solution requires the commitment of
multiple entities and the balancing of competing interests. Consumers, water commissions, and
investors often have conflicting and competing interests. There are also representatives from
agriculture, other water utilities, national departments and provincial governments who are
essential stakeholders (Muller, 2012). Since water conservation is a prominent concern and
often a highly charged political debate, these challenges are compounded with the presence of so
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 12
many stakeholders. Furthermore, the policy makers (central organizations such as governments)
and other stakeholders do not always view their roles as collaborative.
Water is a local issue but with global policy implications. The solution must involve a
cooperative and integrated approach. Pahl-Wostl (2006) stated, “It has become increasingly
clear that the pressing problems in this field have to be tackled from an integrated perspective
taking into account environmental, human and technological factors and in particular their
interdependence” (pg. 49).
In applying an analogous framework, new and emerging technology has created a
polycentric security problem. Consider well-publicized security challenges such as
radicalization and piracy. Neither are new concepts but both have become more complicated,
more nuanced, and more impactful as a direct result of the introduction of new technology. For
example, the Internet can now be used as a tool of digital information exchange and distribution.
It has somewhat suddenly become an established medium of exchange. Extremist groups can
increase their recruitment efforts and expand their breadth of influence. Digitally pirated content
can now be distributed globally. While prison overcrowding and water shortage are different
policy challenges than online radicalization and digital piracy, they still dictate the need for a
thoughtful and strategic approach to address a complicated security challenge.
Challenges in security policy, some that are well-established and some that are new, are
linked by technology. Security directors and policy makers are faced with a wide array of
evolving challenges. The convergence of threats and risks facing companies today reflects the
interdependence and complexity of such circumstances. They require a response that brings
together a variety of solutions that are integrated in an efficient way. The deployment of
resources must be calculated, methodical, and auditable. Metrics must not only be monitored
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 13
closely but acted on in a timely way as challenges dictate.
Project Objectives
Security policies –public or private—are often reactionary, tactical, and decentralized.
However, contemporary threats such as transnational crime, global terrorism, the online
radicalization of homegrown violent extremists, and sophisticated piracy schemes have forced
security leaders to rethink and retool their risk strategies. There are a variety of new security
challenges which have emerged somewhat unexpectedly and evolved quickly due to our strong
dependence on technology for global business.
The primary purpose of this project is to illuminate those challenges for the purposes of
updating ineffective policies and creating new ones as shaped by legitimate needs. Moreover,
the project aims to provide a backdrop for policy makers and create validation for change. This
project can serve as a manual or guide to shape policy to strengthen the industry, tighten
organizational loopholes, and underscore corporate vulnerabilities. Today’s security leaders
should be trailblazers. Their efforts should be deliberate, thoughtful, and contrarian. The
magnitude of such an evolution demands it.
The secondary objective of this project is to provide guidance and direction to policy
leaders, directors of security, industry consultants, and facilities managers to strengthen security
protocols and enhance the process based on emerging threats and risks. A clear recognition of
how emerging technology is changing security policy will be essential in crafting effective
protocols. In doing so, the project will outline the current state of security policy, define and
illuminate what is changing, and create a resource for practitioners to implement change in their
organizations.
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 14
Background
In the previous sections, we defined emerging technology and summarized how it has
made traditional security themes such as piracy and radicalization more complicated to combat.
The use of unmanned aerial vehicles (e.g., drones) and attacks by insiders (e.g., insider threats)
are two additional security challenges that have long existed but are now more complicated with
the advancement of technology. For example, drones have been used for decades by the military
for covert, unmanned attacks on enemy assets overseas during times of war. The applications of
drones were limited and rarely publicized. But now with emerging technology, drones are widely
available to many groups in society from hobbyists to local police and the news media. They can
also be used by terrorists to commit attacks. Insider attacks, or those committed by individuals
who possess legitimate access to an organization, have a long-established history in both private
companies and public agencies. But, like piracy, radicalization, and drones, insider threats are
now more difficult to detect and easier to execute because of the ease with which technology can
be leveraged for illegitimate purposes. A fifth security policy example is cyber threats. The
term “cyber” is admittedly relatively new but threats to networks, infrastructure, communications
systems have an established track record also. But until the emergence of the Internet and
network-based infrastructure over the past two decades, those threats were not a meaningful
security policy concern. Threats to infrastructure have erupted with the introduction of new
technology.
Changing Landscape. Globalization, the rise of the Internet, digital media storage, and
social media are four examples that have forced change, created new security threats, and led to
societal instability. Although they are quite different, their commonality is technology and
growth. “The emergence of so many instant and free messaging services using text, voice, and
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 15
video has no historical precedent and is truly revolutionary in ways that we are just beginning to
understand” (Brooke, 2016, pg. 33). Strategic planning, adaptation, and multi-phased integration
are at the heart of the solution. However, traditional security initiatives and policies are typically
tactical and reactionary, focusing more on the immediate need to ‘fix things’ but lacking the
necessary vision and strategic pursuit of resiliency (Vijayan, 2005; Egli, 2013; McHendry,
2015).
Globalization has created many new ideas, provided a fresh platform for new modes of
communication (blogs, social media, viewing content on the Internet in lieu of the common
television, and so on), and led to new businesses opportunities while simultaneously – sometimes
inadvertently – presenting new risks and threats. It has caused the erosion of traditional
geographic, physical, and logical borders. Overseas supply chains, foreign investment and
partnerships, and the strong dependence on a talented international workforce can bring
uncertainty. Organizations are making greater efforts to leverage cultural diversity through
previously untapped labor pools. Additionally, the dependence on overseas contract firms for
security work can create management and oversight challenges.
This trend has also presented new security challenges. The transformation has been acute
and dynamic. “Globalization and expanded markets have unwittingly introduced the potential
for greater cascading hazards” (Egli, 2013, pg. 36). Credit card numbers can be remotely stolen
in the U.S. from organized crime syndicates in Russia. Pirated movies in China are unlawfully
distributed within days of their release, often in nearly the same quality as the authentic version.
Video cameras small enough to fit inside a popcorn box are used undetected to illegally record
movies in Canada on release day. The use of social media in Sao Paolo, Brazil to mobilize a
violent group of protestors can be done more quickly and seamlessly. Each of these examples
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 16
highlights the far-reaching footprint of criminal syndicates.
This dynamic environment is characterized by changes in risks associated with evolving
technology, an often lagging legal and enforcement protocol, and entrenched traditional
strategies, many of which are either ineffective or even obsolete. How do security directors
know whether their policies are effective? Is government spending on homeland security
initiatives worthwhile? Are resources being devoted to legitimate risks? Are metrics being
used? Are troubling findings being acted on?
Traditional, even long-standing policies must be objectively and academically assessed
for value and impact. Outdated procedures should be phased out. Today’s research should be
strategically and methodically focused on actual risks, real threats, and validated business
disruption drivers. The challenges can be complex and the mitigation strategies should be
customized to meet the unique needs of each organization.
The Internet has forged new and thriving business models and allowed companies to
expand in ways once thought improbable. For example, the Internet has provided new
opportunities for enhanced communication and created an invaluable network of people.
Simultaneously, this interconnectedness has allowed terror and extremist groups to mobilize and
recruit in mass, redefined the concept of transnational crime (which occurs when the victim
resides in one country and the suspect in another), and provided a thriving counterfeit market.
“Interconnected infrastructure systems, while offering greater speed and efficiency, now present
larger targets for potential exploitation by criminals and terrorists because these networked
architectures are operated in an open society” (Egli, 2013, pg. 36). Emerging technology
underscores a balancing act between how technology expands legitimate business while also
providing opportunities for criminal conduct.
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 17
Digital media storage has changed the way information can be stored, shared, and
transferred in powerful ways. Information security and the protection of valuable content are
integral components of business operations. Media storage devices are compact, inexpensive,
and versatile. The storage of terabytes of data and content is routine protocol for many
organizations. While this expanding storage capability provides opportunities to optimize
process and structure, it simultaneously creates vulnerabilities. As easily as data can be stored
and accessed for authorized users, it can be misused, acquired illegally, and distributed in
unintended ways.
The widespread use of social media as a function of popular culture has created new
security risks. Confidential information can be shared –intentionally (such as industrial
sabotage) or unintentionally (through carelessness or incompetence) –in ways which make
widespread distribution accessible and potentially harmful to the organization. Websites such as
Facebook, Twitter, LinkedIn, Snap, and Instagram are relatively new companies. Each has
leveraged new technology for user-driven content. From a risk perspective, some companies
have been slow or unsure how to manage this change. Policies surrounding this technology can
be challenging to create and integration with existing protocols can be onerous. The difficult
balance between privacy and legal considerations underscore this challenge.
Key Threats and Risks
Emerging technology has created a lengthy list of challenges for security leaders. While
not all of those challenges can be covered in this project, below are the five most compelling
stories about security policy. Each is directly related to the recent transformation and
advancement of technology. The following five topics will be covered in greater detail later in
the project but a summary of the discussion follows.
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 18
Insider Threats. Insider threats have changed and evolved and become a much greater
threat to organizations. The change occurred as a result of three reasons. First, content (e.g.,
production footage, proprietary data, company secrets, financial disclosures, and so on) is easily
transferable via mobile devices, zip drives, and conveniently sized hard drives. These media are
difficult to track and easily transferable from one location to another using physical or electronic
means. The portability of content and ease in selling trade secrets create a new set of
vulnerabilities. Second, companies with a global presence are increasingly dependent on
overseas firms and contractors. Many of these contractors are not subject to the same stringent
background checks as full-time employees. Third, the workforce demands have become
increasingly dependent on diversity, including the hiring of foreign nationals. Authorized
insiders who recklessly manage or maliciously steal internal information create exposure.
Digital Piracy. Piracy, although it is not new, has evolved dramatically in recent years
due to the rising use of the Internet and the ability to easily transfer large amounts of data.
Piracy has been transformed into a thriving underground network of illegal exchange. Terabytes
of valuable content can be distributed globally with the click of mouse or via mobile devices.
Previously, the unauthorized duplication and distribution of intellectual property was laborious
and costly. Content is now transient and portable in contrast with older, traditional methods of
duplication and allows for copying without any degradation of quality.
Radicalization. An increasing number of grave threats against our nation persist. In a
troubling trend, many of these threats come from inside our nation’s border. Online interaction
and proliferation of radical materials has promoted such extremism. Additionally, the Internet
provides a robust medium for dissemination of extremist propaganda. The use of the Internet is
a tool for the identification of sympathizers and potential funding sources. As a result,
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 19
recruitment efforts from overseas terror groups can be more far reaching. Emerging technology
has transformed the way in which extremist ideology can be distributed and accessed.
Previously, the distribution of propaganda and extremist literature required the use of traditional
postal mail or travel for face-to-face meetings. Both options have inherent barriers due to cost,
time delay, or citizenship restrictions. Technology has opened new paths to extremist ideology.
Cyber-Threats. Protecting our digital content and networked systems has become a
considerable burden. The cost of cybercrime in the U.S. ranges between $24 and $120 billion
and the global cost is estimated to be U.S. $1 trillion (Gomes, Ahokangas, & Owusu, 2016).
“Risks and threats to current and future processes in the cyber world are everywhere (as they are
to other – usually mainly offline – crime arenas such as money laundering, transnational
organized crime and, above all, terrorism)” (Levi, 2016, pg. 4). Whereas previously information
security departments were small or non-existent, now they are gaining in size and resources
every year. “Security is changing in ways that will transform what “security” encompasses, how
it’s accomplished, and its role and significance in the organization” (Hayes, 2008, pg. 34). The
targeting of network infrastructure and computer systems has become an extremely high risk
threat which impacts organizations of all types in the form of safety concerns and business
disruption.
Unmanned Aerial Vehicles. The use of unmanned aerial vehicles (UAVs or drones) has
emerged as an important security challenge. Although drones have been used by the military for
many decades, technological advancements have made them more pervasive in mainstream
society. Their contemporary applications have grown significantly. Drones are smaller, more
affordable, and offer many more features and functions today then just five years ago. The
growth in the number of drones for mainstream use has been substantial. Furthermore, hobbyists
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 20
can own and deploy drones with little or no training. With the expanding popularity and growth
in the number of drones owned by the civilian population, questions about the safety and security
surrounding their use persist. For example, drones could interfere with commercial air traffic, be
misused to acquire unauthorized access to a restricted zone, or collide with a person or vehicle
on the ground. How drones should be regulated and who should designate proper protocol
governing their use remain open questions. This policy discussion is underway but it faces an
uncertain future. Meanwhile, the technology will continue to grow, drone use will expand and
the associated risks will continue to be an unresolved policy challenge.
Proposed Responses
Convergence. Traditional security programs are most commonly segregated into
departments or divisions depending on the discipline. For example, information security and
physical security departments are often independent. Convergence, or the strategic integration of
physical security and information security teams, has become increasingly important to
effectively address contemporary risks. Emerging technology has blurred the spectrum of
threats. These threats so often involve both physical and logical protocols. Physical security
policy prevents attackers by using fences, gates, guards, and other barriers to restrict entry.
Logical access are those protocols which prevent an attacker from gaining access to a computer
or network of computers using tools such as passwords, two-factor authentication, and network
firewalls. In light of new technology, the core objectives of these two departments are
overlapping. Even so, convergence of the two disciplines has not seen widespread adoption
amongst organizations yet. Information security within organizations has evolved into an
integral core competency and must be entrenched within a global security management strategy.
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 21
Big Data Analytics. In today’s complex security environment, strategic risk assessment
and analysis using innovative technologies such as big data analytics are essential. The results of
such assessments provide organization-specific and actionable data on security risks that an
organization faces. The data and findings will vary across sectors and organizations but the
identification of trends can be useful, nonetheless, as new risk policy is developed.
Emerging technology in the form of analytical algorithms has created new opportunities
for data collection and synthesis. These tools can unearth patterns previously not readily visible
to optimize process, illuminate risks, and support future initiatives. One of the earliest critiques
of law enforcement’s response after 9-11 was their apparent inability to use data for predictive
purposes. They failed to “connect the dots.” More broadly applied, the ability to leverage data
with the objective of improving organizational performance is an essential capability for any
organization. Security performance is just as important as any other critical business function.
Security professionals in both government and the private sector find themselves
continually conducting risk assessments. Some are reactive. For example, the Transportation
Security Administration might receive a bomb threat at one of their airports. The FBI might
receive an anonymous tip from a citizen about a plan to attack a nuclear power plant. A
pharmaceutical company might be threatened by someone who is protesting animal testing in
their quality assurance testing laboratories. During a separation meeting, a disgruntled employee
might threaten his CEO upon learning of his termination. A reactive risk assessment has
limitations and disadvantages. For example, there might be a cost premium in hiring additional
security staff on short notice. Additionally, the organization is unable to consider holistic
solutions since they are expected to make swift decisions to address the threat.
Others are proactive. Since each organization has a unique set of business processes,
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 22
culture, and objectives, big data analytics allow for efforts and resources to be allocated
appropriately based on empirical findings. The number guards required to patrol the perimeter
would likely vary by time of day, day of the week, and so on. Some might require a perimeter
fence and others not. With a risk assessment based on data analytics, “the focus is on gathering
corporate metrics that show how the company can reduce risk exposure and avoid costs – such as
those relating to virus attacks – by implementing the appropriate security measures” (Vijayan,
2005, pg. 48). Armed with reliable research, the top risks facing a company can then be
identified by top organizational leadership.
These examples illustrate that security professionals are constantly conducting risk
assessments and developing policy and protocol on the basis of their findings. If each of these
investigators had additional tools which expanded their capacity to search data, provided clearer
summaries of threat profiles, and enabled reliable methodology to their process, their findings
could be more accurate. The resulting security policy would be more effective.
Organizational Networks. Polycentric problems are complex and generally require
effort by multiple entities to solve them. Today’s threats could be foreign or domestic,
individual or organizational, and local or regional. The teaming-up of resources by government
agencies and private organizations creates efficiencies of scale and allows for improved and
ongoing communication, and shared ownership. These networks can come in various forms.
They could involve public entities, private sector collaboration, or public-private partnerships.
Localized, community outreach programs can help previously unconnected entities build
alliances. Consider a mosque in New York City who develops an ongoing relationship with
local police detectives. These types of relationships are mutually beneficial. When law
enforcement leverages local churches, nonprofits, and charitable organizations, those
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 23
relationships become a force multiplier for information sharing. Examples of public-private
partnerships have been credited for exposing a terrorist plot before it occurs, creating common
ground among previously disconnected community groups, and reducing organizational barriers
in pursuit of safety.
If security becomes inherent in the corporate culture, then there will be not only a greater
focus on risk analysis, but also on opportunities for reducing security restrictions to allow for
new business models – that is, a strategy to achieve long-term financial strength as a company.
For example, a movie company might be able to strategically distribute pre-release footage of an
upcoming movie through social media to spur interest and enthusiasm among fans, without
compromising ticket sales. In this example, the reduction in the security of the content could
actually be used for marketing and promotion purposes. For those leaders and managers setting
policy, a contrarian approach such as this will be not only important but obligatory.
This new organizational philosophy of security must emphasize legitimate risks and
opportunities. “It is no longer the aim to protect confidentiality, integrity and availability of
information but Information Security aims to deliver real business benefits now by both
protecting and yet facilitating the controlled sharing of information and managing the associated
risks across a changing threat environment” (Ashenden, 2008, pg. 195).
Policy Implications and Project Summary
Risks facing organizations, large and small, have evolved in recent years at a pace few
people could have anticipated. A more diverse workforce, an expanded role of operations in new
regions of the world, and a greater dependence on the Internet for commerce pose challenges
which might not have existed just a decade or so ago. Private and public entities alike are
scrambling to keep up with the evolving threats facing them. In being strategic, organizations
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 24
need to think more broadly and recognize the need to possess greater foresight as they acclimate
their security programs. Some commonly implemented strategies, such as more outsourcing to
third parties for core security functions, an increased dependence on insurance to transfer risk,
and a stronger reliance on software products, fail to adequately address the breadth of the
problem. Policies must conform to surrounding conditions but remain flexible enough to pivot
when necessary.
Risks and threats are constantly evolving. Security policy should be adaptive and flexible
to suit that framework. Outdated procedures should be phased out. Traditional, even long-
standing policies must be objectively assessed for value and impact. The synchronization of
such strategies will provide a stable and deliberate path toward sound security policy.
Some organizations have been slow to adequately assess their risks while others have
failed to seek long-term strategic solutions. Policies should be proactive, not reactive.
Organizations often acknowledge new threats and complex challenges facing them but simply
fail to act on them. These shortfalls might be budgetary but more often they reflect
organizational impediments such as institutional stagnation or the lack of leadership. The
following list of policy suggestions identifies what the study aims to improve and how the
findings might help advance the practice:
Security must be considered a core discipline of an organization, one that is
entrenched and ingrained in the culture.
(a) Identify what security policies can be reduced or eliminated.
(b) Adapt and harmonize current policies to better address current threats.
(c) Highlight the importance of convergence – the strategic blending
of information security and physical security disciplines within an
organization.
(d) Establish a practice of reviews and audits at regular intervals
to measure effectiveness of policies and protocols.
This project intends to propose a set of policy suggestions which, if implemented, are
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 25
meaningful and viable for the organization as a whole. Additionally, although security initiatives
are characterized by a basic set of general standards and best practices, there are still nuances
within each organization. Solutions should be customized. This project further aims to identify
a solution broad enough to be effectively applied across different industry sectors but specific
enough to allow security directors to apply lessons from this project to their individual needs.
The project culminates with a set of recommendations and discussion about the future of security
and risk management.
Technology is advancing rapidly. While this creates opportunity and growth potential for
business, the dynamic change and staggering growth could be impeded by lagging legal and
enforcement measures. Compounding the challenges are policies entrenched in tradition or
process driven by antiquated objectives. Outdated policies that are ineffective or even obsolete
must be revised, refreshed, and reinvented. As technology and trends evolve in meaningful
ways, security policy should mirror those changes. Solutions must be adaptive and integrative.
Security’s role and presence within organizations of all types have expanded. The
traditional role of security leaders to manage guard forces, construct tall fences, and implement
emergency evacuation plans is no longer sufficient. This leader now plays an increasingly
diverse role, including ongoing risk assessment, risk analysis, and risk mitigation. Policies and
programs should reflect this evolution.
In the chapters that follow, we will explore how security policy should be crafted given
new conditions. The thoughtful management of risk should conform to dynamic market factors.
The common thread that links all of these threats are new technologies. These risks are not
unfamiliar to security leaders and policy makers but they are suddenly more complicated.
Chapter 2, Protecting Intellectual Property, and Chapter 3, Contemporary Trends in Security
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 26
and Policing, provide foundational background on the history of intellectual property and
contemporary trends in crime and policing. Chapters 4-8 provide contemporary examples of
risks and threats that are different because of the introduction of emerging technology. Chapter
9, The Security-Privacy Dilemma, discusses the delicate balance between security and privacy.
Chapter 10 proposes solutions and Chapter 11 concludes with comments on the future trends in
security policy. Before we explore the key threats and risks –insider threats, radicalization,
digital piracy, cyber threats, and unmanned aerial vehicles –we must first explore the history of
technology as a medium for growth and the history of intellectual property from a security policy
perspective.
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 27
Chapter 2 - Protecting Intellectual Property
In order to understand the future challenges facing security leaders due to the emergence
of technology, it is helpful to first provide a summary of the history of protecting intellectual
property through a literature review and background discussion. The protection of intellectual
property has been greatly impacted by emerging technology. This chapter provides a detailed
description on the history of intellectual property and how things have changed due to the
introduction of emerging technology. Contemporary policies to protect intellectual property and
to fight crime may have been effective for many decades but now the challenges are different.
The policy implications for managing, storing, protecting, and distributing content have been
transformed. This chapter sets the foundation for subsequent discussion of technology’s impact
on security policy.
Background
Intellectual property is a term used to designate content, proprietary information, or
confidential research and development, all of which can be valued in economic terms. It has
been a focus of governments, media companies, and other private corporations. Intellectual
property policy is generally defined as the group of laws and restrictions related to copyrights,
trademarks, and patents which protect the owner or custodian of valuable information. The
intent of the earliest government policy was to provide an open environment of research, to
encourage the pursuit of innovative ideas, and to contribute to the advancement of science while
balancing the need to protect those ideas or knowledge. Achieving a balance of protecting the
owner’s work product while still allowing and promoting an open environment of research and
development in the interest of economic, scientific, and social advancement remains a challenge
today. Intellectual property rights (IPR) are muddled within an uncertain legal environment,
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 28
challenges of valuation (e.g., how much is someone’s idea or invention worth), and a rapidly
changing technological world. Globalization has underscored the interconnectedness of the
world and intellectual property protection policy varies greatly since different countries have
varying sets of laws and regulations.
Intellectual property rights can be traced back to when the colonies were freed from the
control of the British Empire. At that time, founders of the new nation realized that IPR was a
key priority so that research and development of new ideas would spur opportunities for
economic growth and long-term stability. In order to achieve this independence, they would
have to lead the way toward advancement of ideas and the utilization of undiscovered and
untapped knowledge. Also realizing that the invention of new technologies was crucial for long-
term stability, most felt that the new country must provide an atmosphere for such ideas to
flourish (Lehman, 1996). There is language in the U.S. constitution which included a provision
to “promote the progress of science and the useful arts by securing for a limited time to authors
and inventors the rights to their respective works” (Lehman, 1996). It is this provision that
paved the way for the patent and copyright law in the United States.
Thomas Jefferson is widely considered to be the first commissioner of patents dating
back to the years 1790 to 1793 when as Secretary of State he and others were called upon to
approve patents (Lehman, 1996). The approval of patents did not initially have a set of criteria
or particular standards and nearly all applications were accepted. This process lasted until the
middle of the next century. It became increasingly clear to U.S. officials that the quality of
patents and the integrity of the approval process should be adjusted to accommodate changing
technology.
Manufacturing interchangeable parts became an important aspect of the industrial
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 29
revolution. For example, the U.S. government hired Eli Whitney to create a system of
interchangeable parts for guns for the military (Lehman, 1996). The government continued to
issue patents and that became central to the industrial boom and the growth of technology.
As new products were developed, invention was at the heart of advancement. Patents
were intended to protect ideas while still allowing researchers to work together to advance
technology and to improve the U.S. economic foothold. The late nineteenth century saw a new
transformation of technologies based more heavily on mass production and newer infrastructure.
“Some of these industrial goods, such as railroads, automobiles, trucks and airplanes, sped the
massive quantities of consumer goods to a newly integrated national marketplace” (Lehman,
1996, pg. 8). Advertising and marketing became important and large corporations saw the
economies-of-scale approach was quite profitable for them. This led to the nation’s first
trademark law in the 1870s (Lehman, 1996). Trademarks would provide a second layer of
protection to companies who could now protect not just their ideas or inventions initially
(through patents), but also their product, by securing its value, country of origin, availability, or
other unique characteristics.
The use of legal protections for patents, trademarks, and later copyrights became known
as intellectual property rights. Ironically, many of the same challenges and legal complexities
which faced our founding fathers centuries ago with regard to IPR still exist today. The most
common of these are related to the criteria used to establish ownership and property rights to the
inventor or creator. While some of the historic challenges were about different components of
the law, the underlying themes have contemporary applicability. For example, consensus about
how to define ownership and how to value intellectual property are common today.
Technology has changed the way information can be shared. While the global economy
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 30
has changed and technology has advanced greatly, policy questions related to ownership and
value remain. The original “economic growth – protection of ideas” quandary still exists but
now with additional nuanced policy challenges. The challenges are specifically related to new
technology and the uncertainty of how best to manage content in this new environment.
The Source of Challenges
Intellectual property has a long history of nuanced political, legal, and social
implications. The policy challenges associated with intellectual property rights are important to
understand. There are six explanations of why intellectual property protection has been a
recurring theme with international implications. The origins of those challenges are the global
implications of piracy, ambiguous valuation, judicial precedent, ease of duplication, consumer
ambivalence, and insider access. These six concepts, discussed below, provide an overview of
why IPR has a long history of policy challenges. This discussion sets the foundation for a better
understanding of emerging technology’s impact on content protection.
Global Implications of Piracy. The increasingly global economy has linked countries
from all over the world for economic trade and growth without a consistent stance on either
defining or protecting intellectual property. Modern communication technology has changed the
way in which we utilize commerce and trade, thereby highlighting the different legal
environments that each individual country has established. “While modern telecommunication
technology – specifically the Internet – made software piracy a truly borderless crime, IP laws
and their enforcement are still mainly confined to national borders” (Nill & Shultz, 2009, p.
292).
The World Trade Organization (WTO) has taken a strong position to curtail global
counterfeiting and piracy. Most political leaders see the enforcement of such laws to be crucial
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 31
to protect innovation, invention, and free-flowing commerce. Not all countries agree and
measures taken to expand the protection of IPR have been cumbersome. “The essence of IPR,
the extent to which IPR should be protected and, ultimately, who benefits from that protection
continue to be a subject of keen debate” (Shultz & Saporito, 1996, pg. 20).
Increasing dependence on technology perpetuates this complex problem. Technological
advancements allow content to be stored cheaply and distributed freely. Large banks of
information are now portable and transferable. Furthermore, content can be distributed (e.g., via
email distribution) to a very large number of recipients with no decline or degradation of quality.
The best example is the duplication of a book. Before digital distribution became so common,
the only way to duplicate a book was to manually copy each page. This was time consuming and
each additional duplicated version was slightly lesser quality than the original. Contrast that
process with a contemporary feature film. Pre-released movie footage acquired unlawfully can
be downloaded and viewed multiple times with no measurable reduction in quality.
Law enforcement agencies are limited in their capacity to enforce piracy or counterfeiting
laws in other countries. They fight bureaucracy, cultural differences, language barriers, and
layers of jurisdictional barriers. Chaudry et al. (2008) underscore this growing problem, “In
2006, the U.S. government estimated the global market value of the counterfeit industry at $500
billion, with a growth rate of 1700% over the past 10 year (U.S. Department of State, 2006).”
Ambiguous Valuation. The second origin of the IPR challenge is that the value of IP and
information remains opaque. Opinions and legal interpretations about ownership and value
designation create uncertainty. Reaching consensus amongst multiple stakeholders is often a
barrier to progress. It is often debated when “knowledge” suddenly becomes an “asset” and how
this value is ultimately determined. Some economists would suggest that if an idea is applied in
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 32
such a manner to achieve financial success, then it is considered an asset and therefore should be
protected with applicable law (Hebeler & Van Doren, 1997). If this value of knowledge-based
property is determined by the United States at one number but not viewed as valuable in another
country, for example, this creates uncertainty. For example, a pharmaceutical invention in the
United States would be provided with legal protections for the organization in the form of a
patent. However, another country might not observe that patent and deliver the same drug to
their market without any consideration of the owner.
Judicial Precedent. The third origin of the IPR challenge is related to how courts have
established the evolving definition of intellectual property. Advancements in technology have
created new challenges in the protection of such content and collective legal agreement can be
difficult. Legislation and policy often lag behind this rapidly changing condition. Courts have
failed to provide clear direction. The court has repeatedly suggested that the role of copyright
law is to create the most efficient and productive balance between protection (incentive) and
dissemination of information, to promote learning, culture and development (National Research
Council Staff, 2000). In a recent intellectual property / patent violation case in China, a U.S.
based company that makes popular shoes with wheels incorporated in the heels won a ruling in
Chinese court against two companies who violated IP law. Despite the favorable ruling, a year
passed before the government took enforcement action (Chaudry et al., 2008).
Ease of Duplication. The fourth origin of the difficulty in protecting intellectual property
rights stems from the ease of duplication. Protected property, ideas, software, and other
resources are mobile and transitive. The ability for a relatively unsophisticated employee, for
example, to download a large amount of information on a small thumb drive with a few
keystrokes was not a meaningful concern just two decades ago. High bandwidth technology and
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 33
peer-to-peer software applications make the transfer and reproduction of movies and books
instantaneous. In a digitized world, duplication of content under specific circumstances is
essential. For example, computer programs are run by downloading them to memory (an act that
some courts have ruled to be “copying” for the purposes of copyright law), and web pages are
viewed by downloading them from a remote network to the local machine (National Research
Council Staff, 2000). Prior to digital technology, information could be shared but with
meaningful limitations. For example, one could check a book out of the library and share it with
a friend. The duplication, however, was difficult and time consuming. Additionally, when the
person shares the book with a friend, it is no longer available for his use which creates another
limitation. With today’s speed and efficiency, content can be reproduced and disseminated in its
entirety with ease.
Consumer Ambivalence. The fifth challenge of IPR stems from the behavior of the
consumer. Consumers do not fully realize the impact of the unauthorized distribution of
intellectual property in the form of various types of content including films, books, and software.
“Although counterfeiting and piracy are illegal in laws and regulations, they are considered as
legitimate acts based on the norms, values and beliefs of some groups in a society and define the
informal economy as the set of illegal yet legitimate activities through which actors recognize
and exploit opportunities” (Li & Yi, 2017, pg. 98). Entrenched in a consumer-driven and
competitive economy, counterfeit sales are dependent on the behavior of people in the form of
spending habits. “With the growing consumer demand for brands and images associated with
pop culture comes a market for counterfeit products, e.g., Walt Disney characters, Marlboro,
Polo, Adidas, Harley Davidson and Coca-Cola, have been favorite targets because of the global
diffusion of popular culture and because the manufacture of these products and images requires
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 34
relatively simple technologies” (Shultz & Saporito, 1996, pg. 19). Many consumers are content
to pay less for recognizable and popular items and are disinterested or ambivalent about the
negative impact their actions might have on a company’s profitability or the broader economic
impact. Some even rationalize their actions as a reasonable reaction to overpriced products from
corporations who already earn large profits. Since it is relatively cheap to produce and easy to
sell such illegal items quickly, profits earned by the counterfeit companies can be high.
Insider Access. The sixth origin of the difficulty of IP protection relates to insider
employees who have direct access to proprietary and valuable information. Employees,
designers, and artists all need the freedom to contribute their work product. They also require
the accessibility to internal resources, tools, and content. This results in a large number of
internal employees (commonly referred to as “insiders”) who have the legitimate right to access
protected intellectual property. This access raises a security policy question. As more
restrictions on access are imposed, operational efficiency can be negatively impacted. Protecting
valuable intellectual property through risk mitigation measures can be helpful but often still
leaves companies vulnerable to theft. In pursuing the optimal balance of risk mitigation and
individual convenience, many organizations focus primarily on their perimeter security. By
securing the perimeter of the property with guards and security devices, they can shrink barriers
and restrictions internally. In many sectors, too many restrictions and access rules can stifle
creativity or workplace culture objectives.
Contemporary Case Studies
There are numerous examples of intellectual property theft and high technology crimes
that have become more common or more complex due to new technology. Software piracy is
among the most damaging form of intellectual property crime and has become a lucrative
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 35
practice. “An often cited Organization for Economic Co-operation and Development (OECD)
report suggests that international trade in tangible counterfeit and pirated goods could have
accounted for up to $200 billion in 2005, and that there was a steadily growing trend for this
figure in the period 2000-2007” (Veer et al., 2016, pg. 631). Highly sophisticated computer
engineers, often in lesser developed countries or in emerging markets, have been known to crack
security codes on prominent software products before they are released to the general public.
For example, an unauthorized version of Microsoft’s German Office packet was available to
consumers prior to the launch of the authentic product (Nill & Shultz, 2007). In addition to the
short-term economic impacts to both the economy and the individual victim company, this could
have long-term impacts on research and development efforts. If authors, creators, and
researchers view the intellectual property regulation policies to be weak, that could
disincentivize their efforts.
Like software, movies are also subject to pirating and substantial annual losses,
negatively impacting revenues from ticket sales and sales of consumer products after the movie
is released. “The commercial value of pirated software climbed from US$58.8 billion in 2010 to
US $63.4 billion in 2011 (Jackman, 2015, pg. 802). Some movies become available on the
Internet before their theatrical release dates. In one example, a Universal Pictures movie The
Hulk was circulated on the Internet about two weeks prior to release date. The person
responsible, an insider who released an unauthorized copy online, was subsequently arrested and
pleaded guilty to a felony count of copyright infringement, but the damage was already done.
There has been an unprecedented increase in prosecutions associated with unlawful leaks
committed by insiders (Sales, 2015). “Nick Lesson is a famous name who made headlines for
the downfall of what was then the United Kingdom’s oldest financial institution – Barings Bank
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 36
– using his detailed knowledge of systems and processes to conceal his activities” (Hills &
Anjali, 2017, pg. 143). In 2010, US soldier Chelsea Elizabeth Manning released sensitive
documents to WikiLeaks and was later convicted of espionage (Hills & Anjali, 2017).
Conclusion
For the foreseeable future, the protection of intellectual property will remain in an
unsettled state. Emerging technology will provide business growth opportunities but create
unintended vulnerabilities simultaneously. While long-standing questions about intellectual
property ownership and value will be largely determined by the courts, the creation of pragmatic
security policy will be dependent on the efforts of practitioners and industry leaders. Because
the technological trends in the area of digital storage are unpredictable in the near-term, effective
policy must be reflective of this climate. Thus far in this paper, we have discussed the evolving
technological landscape and intellectual property protection. The next chapter will summarize
how emerging technology has changed security and policing. Similar to intellectual property
protection, many of the essential elements of the discussion focus on historic and well-
established trends that have been transformed by the introduction of new technology.
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 37
Chapter 3 - Contemporary Trends in Security and Policing
The role of policing and justice policy has changed dramatically in recent years as part of
an institutional adaptation in response to new threats fueled by technological growth. Law
enforcement tactics are different because of global threats, a worldwide interdependence of trade
and commerce, expanded social media use, and more dependence on technology based tools.
Emerging technology has created challenging policy questions about public safety services
provided the government, the role and impact of private security guards, and new investigative
tools that are forcing change within the criminal justice system. Law enforcement must
demonstrate proficiency with principles such as flexibility, creativity, and innovation. These
characteristics are not regularly associated with government’s provision of services. Advancing
technology has aided police and prosecutors while simultaneously weakening individual privacy
rights. A technological transformation has created an edict for change.
Background
As organized crime syndicates and terrorist cells throughout the world continue to expand
their use of technology to further their efforts, police and private companies alike will face new
challenges. They will be called upon to conduct complex investigations that often cross state,
regional, or national borders. Computer-related crimes such as hacking, dedicated denial of
service (DDOS) attacks on networks, and identity theft rarely involve a victim and suspect in the
same country, much less the same jurisdiction. The growth of transnational crime has been
significant (Novakoff, 2015; Stoica, 2016). The resulting challenges are complex. The barriers
of effective collaboration between many law enforcement organizations create substantial
challenges in both the investigative and prosecutorial phases of the criminal justice process. The
interconnected, global economy creates jurisdictional blurring of the borders. This underscores
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 38
the vital need for more cross-sectoral collaboration and public-private coalitions. This chapter
will discuss how the expectations of police and private security services, as well as general
security policy, are quickly evolving as a result of emerging technology. Threats and risks have
shifted, policies must evolve, and law enforcement efforts have to align with such changes.
Global fears of terrorism remind us of how far-reaching crime has become. Terrorist
groups have established themselves in overseas locations and varied regions of the world,
thereby making it more difficult to conduct investigations or seek prosecution. Media coverage
of terror attacks around the world are common, creating fear and uncertainty. Making matters
worse is the increasing risk of homegrown violent extremists (HVEs) and violent attacks in the
United States (Southers, 2014).
Domestic acts of violence and terror have international notoriety. Tragically, we have
seen examples of such incidents in recent years. The Boston Marathon bombing (2013), the Fort
Hood, Texas shooting (2014), the San Bernardino shooting (2015), and the Pulse (Orlando)
nightclub shooting (2016) are just some examples. Fears of terrorism and violence are more than
just perceptions. Active shooter incidents in the United States have tripled since 2009, including
a staggering 15 which occurred in 2013 alone (Zakhary, 2013).
Emerging Trends
The Role of Police. Collaboration, decentralization, and new investigative tools are at the
forefront of discussions related to police services. The role of police is often misunderstood and
perceptions are not always accurate. “Our knowledge about the police, what they do, and how
they do it comes from a number of sources, and quite often represents distorted or incomplete
pictures about the police” (Gaines & Kappeler, 2005, pg. 14). The media and entertainment
industry often portrays police work as spectacular, action-packed, and violent. This type of
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 39
coverage often misrepresents their role. “The classic image, however, misinforms public
expectations, distorts understanding of the police, and disappoints police recruits” (Benekos &
Merlo, 2006, pg. 35). An evolving expectation of police and a need to engage differently with
the communities that they serve mean that perceptions matter.
The role of federal law enforcement agencies such as the FBI, the Department of
Homeland Security, and the Transportation Security Administration (TSA) is more visible today
in the context of global security threats. But city and county police departments are equally
integral to collective efforts, broader strategies, and cross-functional collaboration.
Collaboration between police departments and their local communities is of critical importance.
Legislators and security leaders who are developing new policy must be acutely aware of that
role and adjust their goals and objectives based on contemporary requirements.
Responding to these contemporary requirements entails a more strategic and global
approach to threats. The approach must be holistic, comprehensive, and broad. For example, the
FBI, shortly after 9-11, officially pivoted as an organization to be far more intelligence focused.
They placed more agents in international offices and partnered more closely with other
government agencies more traditionally known for intelligence analysis. They hired new staff
and improved their capabilities and expertise in collecting data. Data analytics became a more
everyday tool. The FBI’s goal was to be better coordinated around the globe so that
investigations were linked, trends could be observed, correlative data was shared, and
partnerships with allies could be leveraged for mutual gain.
For small municipal police departments, some of their core roles have remained
unchanged. They still have an important responsibility of interfacing with local community
groups within their jurisdiction. Building trust with their stakeholders is considered a core
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 40
requirement in preventing terror attacks. But with the evolving nature of threats and new
technology, they have been forced to adapt as well. With the emergence of new trends such as
transnational crime, cyber threats, and homegrown violent extremism, the responsibility of local
law enforcement has expanded. “Transnational criminal activity is among the most concerning
soft threats to U.S. national security” (Novakoff, 2016, pg. 136). Their role is now a hybrid
approach of local partnerships and regional coordination. Taken together, societal expectations
of police have shifted and their policy objectives and organizational goals have evolved.
Overall, police departments will be called upon to utilize more advanced technological tools and
be more collaborative with public and private stakeholders.
Law enforcement in the United States has always been decentralized. The effectiveness
of this philosophy is often debated. But tracing its history back to the principles of Federalism it
is believed that a decentralized police force with multiple agencies prevented any single agency
from becoming too powerful. A traditional checks-and-balances of powerful agencies was the
underlying objective. “While it has been debated that a centralized police system, such as those
found in Europe, may be a more efficient system of policing, decentralization helps ensure that
police agencies do not amass too much power and are responsive and accountable to the unique
populations that they serve” (Gaines & Kappeler, 2005, pg. 9). Additionally, threats can be
nuanced and police agencies should be sensitive to their community’s unique needs. In this way,
decentralization allows for the efforts by police to be more customized. Problems can be
addressed more effectively by smaller organizations who are often more flexible and nimble.
This becomes especially important in smaller cities. The majority of police departments in the
United States are small and have less than fifty sworn officers (Gaines & Kappeler, 2005).
Similar to municipal police departments, federal agencies can leverage decentralization
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 41
for improved service provision as well. Highly specialized divisions and agencies within a larger
organization such as the U.S. Department of Homeland Security are able to provide more
specialized training and a tailored response to unique crime challenges. This approach allows
services to be more adaptive and fluid. Although the core function of the police is similar in
different cities and states, the diversity of cultures and multitude of service challenges allow for a
better response. This is achieved since each organization tailors their service based on the
unique considerations and service requirements of their community. Those unique
considerations could be related to demographics, socio-economic within the community, and
crime trends. “Decentralized departments facilitated the exercise of discretion and personal style
to maintain order in the neighborhoods” (Benekos & Merlo, 2006, pg. 40).
Dependence on Private Security. An increasingly global economy, among other factors,
has increased our reliance on private security services for crime control and public safety. As a
result, the private security industry is expanding rapidly. It is among the fastest growing
industries with a worldwide demand. Recent studies indicate that private security guards in the
U.S. outnumber police officers three to one (Nalla, Maxwell, & Mamayek, 2017). Though the
data is often sketchy for many countries, estimates suggest that in some countries, such as the
United States, there are three security guards for every public law enforcement officer,8 while in
other countries, such as Hong Kong, the number is 5 to 1, with an even higher ratio in
developing countries.9. “Due to the privatization and deregulation of the public sector since the
1980s, and the globalization processes since the end of the cold war, the private sector controls
85 % of the critical infrastructure in most Western countries” (Bures, 2015, pg. 690). This
increasing dependence on contract security raises concerns about whether the government is
providing adequate services and whether the training for private security is adequate. It is
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 42
indicative of a growing perception that society needs to provide security for itself and that
traditional government police services are inadequate. “In this more market-oriented and
individualized view of security, consumers are to a degree responsible for their own security,
both in terms of their behavior and in terms of making provisions for their own protection”
(Abrahamsen & Williams, 2009, pg. 5). Some of this concern stems from the media
sensationalization of crime, implying an increasing crime rate and rampant violence in our
communities. Some sociologists point to the public’s concerns about the government’s ability to
handle such a complex challenge like global terrorism as another factor in the expanding use of
private security services.
Although private security forces have played a significant role in the response to
domestic and global terrorism fears after the terror attacks of September 11, there are policy
concerns about the long-term consequences of this increasing dependence. This change is not
without controversy. Sociologists worry that the increasing role of private contractors both
domestically for security guard services and abroad for specialized military operations may have
unintended consequences. Some examples of these consequences include inadequate training
and a lack of management oversight. Questions of inconsistent regulation, lack of
accountability, substandard training, and lack of cooperation and collaboration with government
agencies are all areas which require thoughtful assessment.
The hiring standards for private security guards are less stringent than those which
regulate police officers. Generally, each U.S. state has a set of legal standards and guidelines for
police departments. Those standards typically include hiring, training, and retention guidelines.
There is also federal law that governs similar standards for federal officers. But the oversight of
private companies that provide security services is more inconsistent. There are some state-
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 43
mandated requirements that provide oversight of the private security industry but these vary
greatly. Not all private security companies conform to procedures, practices, and performance
standards. Others comply with the requirements but the routine auditing of their compliance is
not mandated. This means that private security is largely unburdened by state regulation and
their legitimacy is questioned (Nalla, Maxwell, & Mamayek, 2017). Legal accountability is our
primary means to regulate, monitor, and evaluate police power in a fair and impartial way.
Private security companies sometimes operate outside this arrangement since the state-mandated
standards are enforced with varying levels of effectiveness.
Policy Trends. Emerging technology has resulted in several trends which influence
police investigative tools. “Big Data sources such as historical crime records, along with
geospatial and demographic data, can be complemented with real-time social media data, from
Twitter for instance” (Hilbert, 2016, pg. 145). Additionally, the police have implemented more
online resources for the community such as crime reporting, convenient access to crime
statistics, and downloadable forms previously only available at the police station. There is also
an increasing dependence on computers to distribute crime bulletins and community outreach
briefs.
Technology has improved efficiency in many areas of crime fighting and police tactics,
but not all of the impact of technology on society has been positive. Technological growth and
security policy implications have an uncertain future. There are increasing amounts of identity
theft, financial fraud, and other forms of computer crime (Novakoff, 2016). In these types of
crimes, computers are used to retrieve confidential information and create forged documents
such as birth certificates, checks, personal identification, or deeds of trust. In all of these cases,
computers make these crimes possible or substantially easier. As technology continues to
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 44
advance, so will the opportunities for unlawful conduct associated with that growth.
There are four notable examples of security policy trends that have been greatly impacted
by technology. Using the Internet for criminal purposes, the use of surveillance (private and
public), biometrics, and DNA tracking are policy examples that face an uncertain future as it
relates to technology growth and privacy. This list is not comprehensive as there are many more,
but it is illustrative for the purposes of setting the foundation of the forthcoming chapters. Those
chapters will provide more detail.
First, the Internet provides new opportunities for criminal activity. Examples include
stealing someone’s identity, conducting unauthorized financial transaction, or sharing illegal
content like child pornography. Content can be shared and distributed more efficiently. A file-
sharing tool such as a Peer-to-Peer (P2P) connection is a network of computer users who allow
shared use of applications and content. This technology provides for convenient sharing of
information while simultaneously providing an outlet for illegal behavior. Investigations have
revealed that P2P networks are increasingly being used for criminal and illicit purposes
(Peersman, Schulze, Rashid, Brennan, & Fischer, 2016). File sharing software has been linked
to pirated, pre-released movies, and widely publicized music theft in addition to the previously
mentioned child pornography. Since computers, the Internet, and P2P software have a multitude
of legitimate uses and societal benefits, limiting or restricting their use is a challenging policy
issue. Additional discussion about computer networks and their vulnerability is provided in later
chapters.
Second, surveillance tools being are used more frequently due to improved capabilities,
wider application, and societal fears about crime and terrorism. Surveillance is most commonly
discussed within the context of closed circuit television cameras for security monitoring, but
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 45
many other uses have also raised concerns. For example, in 2013 the exiled former government
contractor Edward Snowden exposed a confidential government surveillance program aimed at
preventing terrorism. This disclosure, among other things, raised concerns about the U.S.
government’s efforts to track the activities of private citizens. In general, the use of advanced
technology for surveillance allows smaller numbers of security personnel to record and monitor
camera footage, phone data, and other information from a centralized command center or
headquarters.
With the concern about global terrorism and mass casualty threats, security and
surveillance has taken on a new, more pronounced role in society. “Under the new imperative of
security –when every issue has come to be seen as a threat to the sovereignty of the state and the
well-being of its citizens– every individual is now potentially a threat, so the work of different
types of agencies is now directed toward the new goal of providing security” (Bajc, 2007, pg.
1568). The increasing use of such surveillance for crime reduction will undoubtedly have
important policy implications as it relates to individual and collective privacy.
Third, the use of biometric technology to authenticate a user with a fingerprint or iris scan
has expanded. It is considered to be an extremely accurate tool. This change has been primarily
the result of emerging technology, enhanced capabilities, and the reduction in manufacturing
costs. The price to install these systems has decreased dramatically over the past decade, thereby
creating more opportunities for mainstream application. It is used to restrict and track physical
access in very secure environments in both government and the private sector. Biometric
applications and other access control tools will expand this trend of tracking movements,
continuous monitoring of human behavior, and the perceived erosion of individual rights.
Fourth, the use of DNA by police and prosecutors for tracking habitual offenders has
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 46
grown with new technology. Highly sophisticated testing equipment once expensive and time-
consuming to use is now mainstream in most medium or large police departments. Most states
now have mandatory DNA recording for felony convictions and sex offenses. High-profile
prosecutions of criminal cases are often covered in the media, which generates public and
political support to expand this application of DNA tracking for the purposes of crime reduction.
It is anticipated that its use in the criminal justice system will continue to expand. Furthermore,
it highlights a growing trend of tracking personal identifying information about individuals.
“This accumulation of information across space and time allows the experts to encode the past
activity and the present activity into a trajectory that can now be classified into subclasses of
degrees of danger or threat” (Bajc, 2007, pg.1569).
Each of these themes generates new questions about security policy and the associated
impact on privacy. Some examples of these questions include:
1. Who is responsible for keeping the Internet safe?
2. Who determines when surveillance cameras are infringing on personal privacy?
3. How safe in the personal identifying information (PII) that the government stores
about private citizens?
A world in which an instructional guide about how to build a bomb is easily searchable on the
Internet, the distribution of dangerous chemicals and weapons of mass destruction is easier to
hide, and sophisticated financial fraud occurs transnationally is a relatively new phenomenon.
This highlights the need for collaboration and illustrates the interdependent and deeply
interconnected nature of the world.
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 47
Conclusion
The new era of crime and terrorism has brought about many changes. Law enforcement
initiatives and objectives have evolved. Police have been forced to adapt to new risks and threats
with an expanding scope of responsibility. In some ways, this transformation redirects the
traditional police philosophy which emphasizes personal interaction and cultivating community
relationships toward one that is more technology-centric. Examples include surveillance,
enhanced tracking techniques, and new methods of monitoring behavior. In other ways,
alliances between law enforcement and the communities they serve are absolutely essential. This
dynamic creates an unintended intersection of conflicting goals. There are policy concerns about
this changing dynamic. Societal perceptions about one’s personal safety could lead to an
openness to relinquish certain rights and freedoms. In contrast, this transformation of using
technology to track and monitor the actions of citizens will undoubtedly create concerns about
overreaching government abuse. The next chapter on insider threats is the first of five which
provide a detailed discussion about how and why new technology has transformed security
policy in a powerful way.
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 48
Chapter 4 - Insider Threats
Organizations face multi-dimensional security problems. The challenges are complex
and dynamic. The influence of emerging technology has categorically changed the way insiders
can cause harm. An insider is defined as someone with legitimate access to an organization’s
physical site, computers, and / or network. It could be a full or part-time employee, a contractor,
an intern, a temporary employee, or an authorized guest. These individuals often possess
unfettered access to proprietary information, trade secrets, unreleased content, or customer data
bases. The mobility of content and transitive nature of technology today create complex
management challenges. While external threats and attackers often garner more attention and
resources, insiders can sometimes pose greater risks. This dynamic is amplified by new
technology.
In order to mitigate security risks, organizations often deploy security systems in the form
of cameras for surveillance, card readers for access control, and network security architecture to
protect sensitive content. The physical security infrastructure, devices, and network applications
can be costly. While they are an important component of an organization’s comprehensive risk
mitigation policy, they have two weaknesses. First, they fail to adequately address insider
attacks. Second, most organizations do not have the staff to monitor cameras, card readers, and
network abnormalities in real-time. As a result, they tend to be more effective tools for post-
incident investigations and after the damage is done because the authorized employee who
committed the attack is not discovered at the time of incident.
Background
There are numerous incidents of insiders going rogue and committing administrative or
even criminal breaches. Many such examples have been analyzed in hopes of developing new
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 49
policy to address this challenge. In 2007, FBI agents arrested Lan Lee (an American citizen) and
Yuefei Ge (a Chinese national), who were engineers employed by Net Logic Microsystems, a
semiconductor company that sells network processors and integrated circuits. They were
accused of producing their own line of microchips after they used their legitimate access to
download confidential company information (Predd and Pfleeger, 2008).
Public organizations and governments are not immune from insider attacks. The City of
San Francisco’s Network Administrator Terry Childs locked his team out of the network and
provided restricted access to third parties after he was disciplined for poor work performance,
causing an undetermined amount of money due to business disruption (Hayes et al., 2011). In
another example, a DuPont employee accessed thousands of documents and scientific abstracts
valued at $400 million with the intent of selling them to a rival company (Hayes et al., 2011).
These examples highlight just a few of the methods that insiders might utilize in committing an
attack against their organization.
As the theft of intellectual property becomes an increasing threat to organizations with
new technological tools, insiders become a bigger concern. Research indicates that 70% of fraud
is perpetrated by insiders rather than by external criminals but that 90% of security controls and
monitoring are focused on outsiders (Colwill, 2009; Steele & Wargo, 2007). Insider attacks
against companies can be damaging to the financial bottom line, to the brand, and to employee
morale. Insiders can leverage emerging technology, sophisticated data transfer, and information
storage tools to carry out these thefts in ways not possible years ago. More troubling is that these
occurrences can often go undetected for months or even years, especially if the insider is adept at
spying and thoughtful in his execution. For example, Greg Chung was a Chinese-American
engineer who sold NASA secrets to the Chinese government for 30 years before his prosecution
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 50
in 2009 (Bhattacharjee, 2014). There are numerous illustrations of this type of attack and
additional examples are summarized later in this chapter.
Technology’s Impact on Insiders Threats
Globalization has greatly transformed the way companies operate. Overseas operations
and subsidiaries provide new business opportunities. The Internet’s ability to cross boundaries,
reduce distance-based hurdles, and link previously independent markets gives rise to a new
world marketplace (Kung et al., 2008). Wakentin (2009, pg. 101) found that growth can occur
rapidly, creating both risks and profit:
As our institutions (economic, political, military, legal, social) become increasingly
global and inter-connected as we rely more on automated control systems to
provide us with energy and services and as we establish Internet-based mechanisms
for coordinating this global interaction, we introduce great vulnerability to our
systems and processes.
Outsourcing, cultural differences, social media use, and an increasingly mobile workforce are
examples of trends which make insider threats a more substantial risk for organizations.
Outsourcing. Many companies are facing increased market-based challenges such as
aggressive competition resulting tighter profit margins. To mitigate some of the challenges in
this dynamic environment, a major business trend –outsourcing– is more widely used.
Outsourcing allows companies to find specialized labor around the globe in hopes of improving
efficiency and decreasing costs. This approach can leave the company more vulnerable since
third party staff has access to critical business information and networking systems.
“Outsourcing can lead to the fragmentation of protection barriers and controls and increase the
number of people treated as full-time employees” (Colwill, 2009, p. 190). Organizations often
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 51
have strong security controls in place to protect sensitive data at their U.S. locations but do not
always duplicate that same level of protection overseas. But once the information is accessed by
overseas contractors or vendors, the organization’s ability to monitor, access, and track content is
threatened. Many of the companies who provide overseas contractor services have high turnover
rates, creating organizational instability and exacerbating the already existing security
challenges. Finally, an organization’s ability to conduct thorough background checks on
overseas staff can be hamstrung by privacy laws. As a result, the checks can often be unreliable
or incomplete.
Cultural Differences. Cultural norms and mainstream business practices can vary
greatly from country to country. Institutional ethics and professional values can conflict. For
example, routine business practices overseas are often in conflict with the U.S. legal system.
Moreover, the enforcement of law violators varies greatly. In some countries, substantial gifts
and even bribes are integral and routine components of the negotiation process (Colwill, 2009).
Language nuances and the literal translation of contracts can also create confusion or
disagreement about the performance expectations of temporary or contract staff. Legal
agreements and negotiations are often managed by non-native speakers who might not have any
experience in the country for which it is written. Legal jargon in contracts is often left to
individual interpretation and resulting misunderstanding can prolong the approval process and
threaten efficiency. “Even where there is no disagreement over the explicit meaning of the
wording, the implicit perceptions and expectations behind them may differ – driven by the
history of security approaches within any given company and country” (Colwill, 2009, p. 191).
Social Media Use. Technological and social factors are also affecting the insider threat.
Social media, the mobility of data, the merging of multiple applications and the increasing
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 52
dependence on off-site and so-called cloud computing all contribute to increasing risk profiles
that companies are facing. More company data, which often includes proprietary or confidential
information, is spread amongst multiple sites, accessed by more people, and subject
infrastructure disruption or failure. Many companies underestimate the risks associated with an
increasingly digital and connected environment (Williams, 2008).
Mobile Devices. Mobile communications allow employees to work remotely, travel while
maintaining a link to the company, and exchange information more efficiently. Work-related
news and proprietary information are often shared on social media sites listlessly and freely, with
little regard for disclosure or security concerns. Some companies lack established rules on the
use of personal networking sites and instant messaging which presents a porous security
environment.
While many firms are scrambling to keep up with this rapid change by implementing
appropriate security protocols, this transformation must be delicately balanced with employees’
demands for expanded freedom and flexibility. Mobile devices with increasing memory capacity
and faster processing speeds increase efficiency and risk. These devices are becoming smaller,
lighter, and easily transportable. This makes a laptop theft or covert copying of files from a
workstation easier for the attacker. The transient nature of data improves convenience while
simultaneously creating new risks.
Global Travel. Business travel, having become more vital in the global economy, raises
new threats and expanded vulnerabilities. Many companies have not implemented policies and
procedures for safe business travel for their employees. Virtual private networking (VPN)
allows employees to have access to internal networks while away from the office, whether at
home or while traveling. Previously, access was restricted to the workplace. Joyce (2006)
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 53
stated, “Business trips abroad are especially vulnerable; briefcases and luggage can be searched
or their contents copied covertly either at border crossings or hotel rooms. This is far more
common than most organizations or employees may know” (pg. 38).
Types of Attackers
Insiders possess valuable internal knowledge that can be easily distributed or shared. In
reviewing past occurrences, there are some common tactics that attackers have used. In some
cases, an employee was specifically targeted in hopes of compromising them since they have
internal access to information that could be valuable to an outsider. For example, businesses
may target a competitor in hopes of gaining access to unauthorized information. They
accomplish this through two methods. First, they will place a “spy” within the organization in
hopes that they can acquire valuable trade secrets from the competitor. In order to do this, the
organization would need to have their representative successfully land a position with the
company. Now holding a legitimate position within the company, the insider would attempt to
acquire information or data and provide it to their external co-conspirator. Alternatively, they
may attempt to recruit an existing employee who already has authorized access to confidential
data and provide compensation or other benefits in return for such information. Both options can
be effective. There are four levels of insider threats which range on the spectrum in both impact
and severity: criminal, unethical, reckless, and careless.
Criminal. Criminal attacks are those carried out by a rogue insider with the deliberate
intent to harm the organization or achieve financial gain. This type of threat to an organization is
the least frequent statistically speaking but can have the highest impact. These types of incidents
are rarely publicized because it places the organization in a negative light. Criminal attacks, in
the rare cases when they do become public, are frequently perceived as the most serious type of
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 54
the four attacks. However, despite that common misperception, the impact and severity of an
unethical, reckless, or careless attack could be just as serious.
Unethical. Unethical attackers usually occur when an insider feels a sense of injustice but
does not intend to commit long-term harm. This type does not fully recognize the magnitude of
their violation until they are apprehended. These types of attacks are most common when a
former employee is disgruntled or feels a sense of injustice about how he or she was treated.
Reckless. The reckless insider is one who simply fails to abide by organizational policies
and procedures in ways that create serious risk exposure. This type of threat is relatively
common since many organizations fail to effectively integrate their workforce into a broader
framework of security and risk management. An effective security department depends on the
collective awareness and engagement of all employees.
Careless. Finally, the careless insider is one who has no intent of compromising any
intellectual property and has little or no understanding of what risks their behavior is creating.
This is the lowest level of the insider threat. It is also the most common of the four. This
chapter focuses primarily on the criminal and unethical categories but the strategies that are
outlined later in the chapter will be helpful to mitigate the impact of all four types of threats. The
primary difference between reckless and careless is that reckless employee knows the protocols
and deliberately ignores them whereas the careless employee was not trained properly and
simply is not aware of the risks of their actions
Profiling the Attacker
Organizations often do not fully acknowledge risk. As a result, proactive prevention
policies are not implemented. In reviewing past cases of successful insider attacks, there are
objective behavioral signs which can be a valuable training tool to prevent further attacks. “It
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 55
identifies that a pattern of behavior has deviated from its norm, but also quantitatively measures
the probability that the observed behavior is risky (Warren, 2015, pg. 7). This information can
be useful to craft new policy in hopes of bolstering an organization’s security posture.
There are specific behavior or performance indicators that can be used to flesh out
potential insider attacks before they occur. An example might be an employee whose
performance changes dramatically or whose behavior becomes concerning. Warning signs of
rogue employees are almost always evident in advance of the attack. Certain behaviors are
correlative. Single or isolated behavior abnormalities are less predictive but the totality of
multiple data points evaluated together can be indicative of greater concerns.
Collective awareness is the most effective strategy to discover, identify, report, and
respond. The organization must establish a consistent process for reporting. Inaction by
companies after receiving reports of certain suspicious behavior can be devastating. Colwill
noted, “A common finding of most post-incident investigations is that warning signs of changes
in people’s attitudes, behaviors and actions had been seen by others but that nothing had been
done about it” (2009, p. 192). In researching past insider attacks, noted insider threat author Eric
Cole (2006) developed the following list of behavioral characteristics in his book titled,
Protecting Enterprise from Sabotage, Spying, and Theft:
▪ They had minimal technical knowledge.
▪ They worked at various positions.
▪ Their attacks focused on intellectual property.
▪ They were money driven.
▪ They did not fully understand repercussions.
▪ They somehow tipped other people off about what they were doing.
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 56
▪ Anger played some part of their attack.
▪ External indications of their attack were evident.
▪ Their actions had an adverse impact on the company.
One of more of these may be factors in an insider attack but generally not all are present. The
list above is discussed in greater the detail below.
Minimal Technical Expertise. Insiders have access to confidential and proprietary
information as a routine function of their position or role. They do not require specialized skills
or knowledge to commit attacks against the company since they possess legitimate access.
Furthermore, insiders have knowledge of the security protocols, the company’s security posture,
and the organizational culture. This allows even unsophisticated attackers with minimal
technical knowledge to uncover vulnerabilities and how best to keep their actions secret.
No “Typical” Position Held. There is not a classic or typical position within the
organization that successful attackers have held when their activities were discovered. They
could be a third-party contractor, an established executive, or a temporary intern. “The
malicious insider can come from any function of the organization” (Hayes et al., 2011, p. 35).
Insiders sometimes act alone, sometimes with the support of another insider, or sometimes
supported through an external state-sponsored entity. They could have joined the organization
initially with the intent to commit an attack or they could have been recruited by an external
entity after they were hired. In developing policies to mitigate these risks, organizations should
create them to include all business functions at all locations.
Intellectual Property is the Likely Target. Third, the majority of the attacks are
focused on the intellectual property (IP). The company’s IP holds the most value and it is the
easiest to steal. A single laptop could hold millions of dollars’ worth of trade secrets and
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 57
proprietary information. “Economists estimate that between 50 and 85 percent of the value of
today’s corporations stem from intangibles such as trade secrets” (Caputo & Stevens, 2009, p.
14).
The manner in which intellectual property is created, maintained, and distributed makes
controlling it arduous. High-capacity data storage technology and cloud computing provide new
and evolving methods for insiders to capture and disseminate unauthorized information to
external parties. This can be done quickly without detection. Policies developed to allow for the
reliable audit and tracking of employee’s access to content are imperfect or not monitored
regularly.
Financially Motivated. The fourth characteristic of malicious insider incidents is that
they are money-driven. Money plays a role in most insider attacks. Financial gain is the most
common motive in stealing trade secrets since that information can be valuable to a competitor.
Attackers use legitimate access to customer databases to use the information for criminal
reasons. In one example, a bank employee might legally access a customer profile in the normal
course or scope of their job but then sell that information in an unauthorized manner for the
purposes of committing identity theft. The financial impact might be indirect and occur without
the financial institution becoming aware. Another example is disgruntled employees. They may
feel mistreated or that they suffered harm because they were not promoted or given a raise. As a
result, their motive is a combination of revenge and financial since they intend for the company
to suffer financial loss or reputational harm.
Misjudging the Consequences. The fifth characteristic of insider attacks is that most do
not fully understand the magnitude of their actions. Alternatively, one may justify his or her
behavior because of perceived unfair treatment by the company. Some attackers view the
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 58
workplace as a closed environment and do not recognize that police involvement during the
investigation could lead to criminal prosecution or jail time. “Many people who commit insider
attacks do not truly understand how much trouble they could get into if they are caught and more
basically do not even realize they are breaking the law” (Cole, 2006, p. 304). Employees
wrongfully assume that if their actions are discovered, they will suffer administrative penalties
such as suspension or termination but not criminal prosecution.
Leakage. Sixth, when insider attacks occur, co-workers or friends almost always know
about it before it occurs or while it is occurring (Kirkpatrick, 2008). In some cases, co-workers
actually witness the behavior. In other instances, they become aware through leakage. Leakage
is defined as pre-attack communication from the rogue employee to a witness (co-worker, friend,
or family member). For a variety of psychological reasons (which are outside the scope of this
discussion), attackers often feel the need to convey their motives or plans prior to carrying them
out. This characteristic highlights the important role that companies can play in prevention
through education and awareness programs. It is vital that co-workers make thoughtful
observations and report concerning behavior. Even with enhanced training and collective
awareness of these risks, co-workers are often afraid to report the wrongdoing of a colleague.
The organization should regularly reinforce open reporting and transparency. In some cases,
multiple employees become aware of the actions of a disgruntled colleague but all fail to act.
Anger. The seventh characteristic deals with anger. When insiders opt to commit some
type of internal violation, theft, or economic espionage, anger is often the motive. Most
commonly, it can be caused by resentment from unfair treatment or perceived poor management.
The malicious insider often feels hopeless. They believe that they have exhausted all other
options and must resort to these actions to enact revenge. This characteristic is often outwardly
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 59
portrayed and observed by co-workers and supervisors. While not all angry or disgruntled
employees actually resort to committing an attack, it is a troubling sign that should be
thoughtfully assessed and monitored.
External Indications. The eighth characteristic of a malicious insider attack is the
external behavior of the employee. There are two types of these indicators: suspicious business
factors and suspicious personal decisions. Certain business factors could trigger actions by an
employee who feels negatively impacted. Factors such as declining stock price, poor quarterly
earnings, negative media coverage about the company or employee, or the loss of key businesses
or alliances could trigger an attack. These signs do not automatically signal an insider threat but
they are flags that should be monitored and assessed. In some cases, further investigation might
be justified.
Personal indicators are deviations from typical behavior or performance. These types of
deviations should serve as red flags for the employer. They might include unusual hours (an
employee working too many or too few hours), unexplained absenteeism or tardiness, visual
frustration, negative postings on social media or networking websites, or other meaningful or
distinctive changes in personality. Other behaviors to be aware of are inappropriately seeking
classified or proprietary information or remotely accessing internal computer networks after
hours or while on vacation. Employees who present these types of behavior will not necessarily
resort to committing insider attacks but should be monitored more closely. This behavior is
distinct from the sixth factor in that their behavior here is more passive, whereas leakage is an
active decision by the offender.
Sabotage. The ninth characteristic of the malicious attacker is a desire to cause negative
financial impact to the company. In these incidents, the motive of the employee is to achieve
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 60
maximum impact by creating negative publicity or direct financial loss. These situations differ
from purely money-driven events discussed earlier because the company suffers the negative
impact (e.g., negative publicity or direct financial loss) while the employee does not necessarily
benefit financially. In cases of a sabotage-motivated attack, sometimes the full impact of the
actions might not be known for days, months, or even years after it occurred. This lag effect
makes the subsequent investigation and potential prosecution more challenging.
Apprehending Attackers
Although all cases are unique, there are some common explanations which explain how
rogue employees eventually get discovered and apprehended. Cole (2006) notes that attackers
are generally caught for four primary reasons:
▪ Greed: Once the employee is successful in their efforts, the often think they
will never be caught and continue with their actions.
▪ Boastfulness: Similar to leakage noted above, people have a natural
inclination to share information or even boast about their actions.
▪ Sloppiness: Complacency can become a factor as employees feel like they
will never be discovered.
▪ Stupidity: Research generally indicates that people often get discovered as a
result of their carelessness.
There are policy lessons that can be drawn from Cole’s nine characteristics. First, this is
not intended to be scientifically predictive of internal attacks by employees. Each instance must
be cautiously reviewed within the broader context and setting. Rather, they are intended to serve
as a practical guideline for organizations to leverage in policy development. Individual incidents
or isolated examples of these behavior and performance factors are not always correlative of an
attack. These behavioral signs can create a basis of understanding about the methods that
employees used in carrying out their attacks. Second, in most post-incident reviews of insider
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 61
attacks, employees came forward and acknowledged red flags that they observed but did not
report. This underscores the importance of organizational awareness and targeted training.
If organizational culture and well-established protocols use the behavioral signs to raise
collective awareness and recognize the reasons that violators get caught, losses can be reduced.
Proactive polices can be crucial in prevention efforts. Organizations need to promote a culture of
openness and employees should all feel empowered to report suspicious behavior. All
employees should be engaged in these efforts and be continually reminded that they are a vital
part of the security strategy.
Mitigation Strategies
The techniques that insiders use in committing attacks are predictable. In most instances,
they are preventable. Awareness is the most valuable strategy to mitigate risk. Security
awareness should be ingrained in the culture of the organization so that all employees feel like
they are part of the solution. Emerging technology will continue to advance rapidly and provide
new opportunities for growth and efficiency. Recognizing this impending growth, organizations
need to focus on their most valuable assets, identify potential exposure, map-out worst-case
scenarios and implement the appropriate control measures.
The integration of technology to enhance security and protect intellectual property is
undeniably important. It is an essential component of sound security policy. Such examples
might include access control processes, diverse IT-related security protocols including strong
network firewalls, compliance with government regulations such as the Sarbanes-Oxley Act
(SOX), and the segregation of key data so that people only access the necessary content. While
the previously suggested controls are essential, the workforce is often the most critical weakness.
People are an important asset to a company. They are also the biggest vulnerability.
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 62
Since people have such a crucial role in a company’s viability, reputation, and growth, finding
the appropriate balance of freedom to work with reasonable restrictions that mitigate risk
becomes a challenging policy issue. The difficulty in achieving this balance is often overlooked.
It is perceived to be easier to deploy more technology instead of creating broad institutional
awareness and a resilient culture of security.
Technology is only part of the solution. The remainder is a holistic approach which
incorporates the human factor (Colwill, 2009; Warkentin & Willison, 2009; Kirkpatrick, 2008;
Williams, 2008; Cole, 2006; Joyce, 2006). A holistic risk mitigation strategy is one which
values people as assets and incorporates them into the security process. For example, pre-
employment background checks should be thorough and comprehensive. Problematic
performance or behavior should be addressed promptly. Employees should be trained regularly
about the signs and symptoms of insider attacks and how those attacks can cause great harm to
the organization. Training and awareness about the insider threat risk should be a priority of any
organization. It is important for all employees to feel as though they are an essential part of the
solution and that they play a crucial role in mitigating risks to the company.
The accounting firm Ernst & Young conducted a global survey of 1400 companies in 50
countries and concluded that endpoint security (referring to the human side of computer use) was
the greatest threat stating, “Researchers found that awareness and personnel issues remain the
most significant challenge to delivering successful information security initiatives” (Warkentin
& Willison, 2009, p. 102).
Establish Formal Protocols. Because insider threats can be committed against any of
the critical business processes within an organization, a multi-disciplinary prevention team
should be created. This team should include representatives from each core discipline such as
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 63
finance, legal, human resources, internal audit, manufacturing, development, compliance, and
technology. This prevention team should formalize a list of key strategies including the steps
summarized below.
● Background Checks: Comprehensive background checks of potential employees are
a proven strategy to keep potentially malicious employees out of the organization.
Research indicates that past behavior is a reliable predictor of future behavior. While
effective checks can be costly and time-consuming, prevention remains the most
effective strategy.
● Formation of a Crisis Response Team: A team of leaders in the organization should
be created to both strategize policy and respond to crisis in a systematic way. All
departments and core function units (legal, human resources, finance, real estate,
operations, corporate security, and so on) should be represented. This has functional
and cultural benefits by showing the organization as whole that it is committed to the
safety and security of its employees.
● Visitor Policies: Companies should create appropriate visitor policies and require
compliance. These can be configured so that business processes and company growth
are not hindered by overly restrictive rules. But, at the same time, visitor logs should
be accurate and auditable.
● Computer Level Precautions: These might include automatic log-out after a short
period of inactivity, two-factor authentication passwords (requiring both a password
and a unique personal identification number sent to a cell phone), appropriate firewall
installation with malware monitoring capabilities, disabling of USB ports, and file
capacity restrictions for both incoming and outgoing email attachments. This should
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 64
include active monitoring of email and Internet usage with an internal alerting
system. Detection methods should be set to the access level of each department or
team so that blanket policies do not miss key groups or individuals or place
unnecessary restrictions on others. Laptops should be encrypted and configured so
that they can be remotely wiped in case of theft or loss.
● Simulations and Drills: Having the multi-disciplinary prevention team conduct
recurring drills to identify the company’s vulnerabilities is vital. These allow the
prevention team to work together on a hypothetical crisis in a controlled environment.
Most importantly, these drills can serve to drive practical policy development which
is unique to each individual company and tailored accordingly.
● Awareness and Education Programs: These programs aim to establish a security-
centric culture which provides clearly-communicated policies, mandates training for
employees, and designates an escalation protocol for reporting threats, concerning
behavior, or potential wrongdoing. This process should also incorporate a method for
anonymous reporting. It should have strong language which strictly prohibits
retaliation for such reporting.
● Managing Remote Connectivity: The company should establish clear guidelines for
employees related to VPN access and possession of company-issued laptops and
other mobile technology which contain confidential data. Basic security
recommendations when traveling with laptops and cellular phones can be helpful risk
mitigation strategies.
● Establishment of Termination Policies: The organization should designate a team
which oversees the termination of employees. Representatives for all departments
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 65
should be aware of the process. In the case of a hostile termination or problematic
ex-employees, the team should establish a standard operations plan to hire additional
resources (e.g., internal security team, local police) and escalate details of the incident
to important organizational stakeholders (top leadership, legal, etc.).
● Enforcement Action: When appropriate, enforcement action should be taken to
maintain an organizational posture which does not tolerate breaches or internal thefts
of any kind. While it can bring negative publicity, sometimes taking action to
prosecute violators is the most prudent response.
Although technological safeguards are a staple of a comprehensive security policy, these steps
listed above focus primarily on changing behavior, shaping culture, and raising awareness.
“Instead of looking at just the technological aspects of security measures, organizations should
take a cultural approach to security, recognizing the integral role people and processes play in the
way business is conducted” (Joyce, 2006, p. 38). Since people are an integral part of the
business process and each organization’s key assets, they have to be a part of the solution.
Operational Impact
Most organizations trust their employees implicitly and provide them with the necessary
access to information. This access is necessary for business operations, workflow, and
efficiency. However, failing to acknowledge that insiders can cause significant harm can expose
the organization to unnecessary risk. Repeatedly ignoring this risk can lull it into a sense of
complacency. The impact of such complacency or inaction can be devastating.
Added security protocols come with a cost. Understandably, leadership is reluctant to
implement rigid rules and regulations for a variety of reasons. Those reasons might include
costs, concerns about privacy, and negatively impacting the general workplace culture.
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 66
Security policies can hinder the creative process, stifle the collaborative nature of the
workplace, and frustrate efficient operations. Overly restrictive procedures can convey mistrust,
and organizational culture can feel cold or impersonal. “Access control set too restrictively can
deleteriously affect productivity because employees must continually negotiate and justify their
access to information. If set too permissively, access controls can leave sensitive information
exposed” (Caputo and Stevens, 2009, pg. 14). The practice of implementing solely technology-
centric barriers and controls is rarely effective. The use of technology to reduce risks to
organizations is one of many integrated strategies that should be considered. But it also has
downsides.
Conclusion
Emerging technology, global interconnectedness, and a diverse workforce bring promise
and new opportunity. Insider threats have long been a concern of companies but new technology
has created additional layers of complexity. Opportunities to exploit technology maliciously
create additional risk exposure. New technology makes attacks easier to commit. Employees
have unrestricted access to confidential data, are familiar with the internal vulnerabilities, and
can cover their tracks making post-event investigations difficult. Content is more transient,
storage devices are inexpensive, and information can be shared instantaneously via the Internet.
In looking at past occurrences of insider attacks, many were not discovered for months after they
occurred.
While the root causes of insider attacks are numerous, the solutions are straightforward.
Security professionals can employ the following steps inside their organization to mitigate their
risks and be better prepared to respond when it occurs:
Education and Training Programs. When employees embrace the philosophy that
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 67
security and safety is everyone’s responsibility in the workplace, their awareness
becomes a force multiplier. Regularly scheduled training programs can raise awareness,
provide employees with the basic tools to make observations, and empower people to
come forward to report suspicious behaviors.
Data Analytics Software. There are software products available today that leverage
existing internal workplace data and algorithmic formulas to predict behavior.
Correlating data and behavior based on objective baselines can flag outliers and trigger
follow-up steps if justified. For example, an employee who works traditional business
hours for many years and abruptly starts coming to the office late at night or on the
weekend would be considered a notable outlier. Those statistical deviations would
trigger a notification to security or human resources for further follow-up.
Background Checks. Pre-employment background checks are an essential component
of insider threat risk mitigation. The assessment of past behavior is a strong predictor of
future performance. The higher the degree to which an organization understands their
applicants’ experiences, the better their odds of hiring top performers and those with high
ethical standards.
For most organizations, security is at odds with productivity, so finding the appropriate balance
is the end goal. Increasingly, companies are creating collaborative and interactive work
environments which align with a flat organizational structure. Security protocols can conflict
with that philosophy as well. Striking a balance between security and productivity is an ongoing
challenge for organizations in a wide variety of business sectors. In order for companies to
reduce their exposure, they must acknowledge the risk, thoughtfully craft strategies, and
implement solutions which are closely aligned with today’s requirements.
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 68
Chapter 5 - Digital Piracy
Emerging technology has created cutting edge tools for growth while simultaneously
unearthing highly complex risks and threats. The theft of digital content and intellectual property
costs our economy, drains law enforcement resources, has been linked to criminal networks, and
creates challenging policy questions. The future of digital content protection is uncertain.
Research indicates that software worth $32 billion was pirated in 2005 (Hill, 2007), and the
Motion Picture Association of America estimated that losses due to piracy cost the industry some
$6.1 billion in 2013 (Dubey and Kumar, 2014). Although piracy is not a new phenomenon,
recent technological and market forces have completely altered the depth and the scope of this
problem. Recent technological advancements and trending economic forces have highlighted, in
dramatic ways, the inherent challenges of balancing the protection of creative work with a strong
public demand for content. A transnational economy, increasing digitization, and essential
dependence on networks have spawned new criminal opportunities. Organizations depend on
networks and technology infrastructure to conduct business. They depend on web content for
research, storage of work product in cloud computing platforms, and technologically-based
mediums for collaboration amongst employees. But protection of these processes and resources
faces an era of uncertainty and risk. Legal ambiguity, jurisdictional challenges, and conflicting
ideas between nations all add to the complexity of how we address intellectually property
protection (which is more broadly what digital piracy undermines) in the new millennium. This
chapter will provide a historical summary of piracy and, using movies as a case study, will define
how and why technology has changed content protection in ways few could have possibly
anticipated.
Piracy has been linked to organized crime and terrorist groups. It has spurred aggressive
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 69
responses from nations around the world about how to address it and led to global debate.
Collaborative partnerships have formed, many in the past decade. Establishing itself as a key
stakeholder, the United States has long been at the forefront of this battle (Lucchi, 2006;
McDonald, 2007).
Background
Digitization, or the use of digital technology for the purposes of storage, transfer, and
reproduction of property, has changed the landscape in which movies and other intellectual
property can be protected (McDonald, 2007). New methods of distribution of creative work
have opened the market to new modes of marketing and repurposing. Progressive methods of
delivering content have resulted in job creation and spurred research across many sectors.
Technology is at the core of this transformation. Alternative revenue streams have provided
social, cultural, and economic benefits. Movies, as well as books and music, can be distributed
and reproduced in ways never considered when copyright and patent law was written centuries
ago. The ease with which property can be transferred has been embraced by companies and
distributors, now realizing new and substantial revenue opportunities. “Digital technologies
allow perfect, inexpensive, and unlimited copying and dissemination of content” (Lucchi, 2006,
p. 6). These advancements paradoxically provide a favorable platform for piracy and
counterfeiting at the same time. “Digitization subsequently introduced new possibilities and
challenges for copy protection. Enthused by the promise of digital fidelity, the legitimate video
business embraced DVD, and industrialized piracy followed accordingly” (McDonald, 2007,
196). The access paradox underscores a difficult balance between a seller’s ability to monetize
their product with a complementary need to make it accessible to the consumer. Once it
becomes increasingly accessible, however, it also allows for its unlawful duplication or
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 70
distribution. Technology has changed greatly in the past two decades. Our path is unchartered
and future policy implications are unclear.
Traditional Piracy to Digital Piracy: What Has Changed?
The increasingly global economy has linked countries for economic trade and growth,
without a universal approach to intellectual property. While the global economy has changed
and technology has advanced greatly, new enforcement challenges raise troubling new questions
such as how online content is valued, when is online content considered open source material, or
how to prosecute transnational theft of online entertainment media. Digital piracy is at the
forefront of such discussions. Traditional methods of piracy have given way to cybercrime and
the misuse of digital content. The sources of this transformation are complex and multi-layered.
The six most prominent and widely discussed factors are summarized below.
Globalization. Globalization has allowed varied industries, especially those providing
digital content, to have a global presence in powerful ways. It allows them to monetize their
products or services across borders. At the same time, criminal syndicates can leverage the same
technology to create illegal business opportunities themselves. “Like the legitimate video
business, industrialized piracy operates through highly organized facilities for illegal production
and extensive, transnational networks of distribution” (McDonald, 2007, p. 179). Modern
communication technology has changed the way in which we utilize commerce and trade in a
global economy. The World Wide Web has created an unregulated distribution tool for a global
audience (Etges & Sutcliff, 2008). This evolution has highlighted the vastly different legal
environment in which each individual country operates. The Internet has bridged distance
regions, linked previously disparate regions of the world, and allowed expansive sharing of
information. “If the twentieth century made culture generally accessible, the twenty-first will
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 71
make it universally accessible” (Lessig, 2008, p. 42).
Transnational Organized Crime. Transnational crime, or crime occurring within and
across international borders, has become more pronounced in recent years. Organized criminal
groups have expanded into operations such as drug sales, human trafficking, intellectual property
theft, weapons trafficking and cybercrime. These groups are often difficult to identify, elusive to
surveil, and mobile. “Organized crime groups are decentralized to avoid providing single targets
or points of failure for adversaries and law enforcement, rely on loose relationships among
different players in different countries due to the nature of business (trust between players is
minimal and relationships don’t last long), and prosper greatly in non-regulated, lawless
environments” (Etges & Sutcliffe 2008, p.91).
Enforcement Challenges. As a result of globalization and links between countries that
previously did not exist, new business opportunities have surfaced. With this legal evolution
come new challenges, especially in enforcement methods. Legal wrangling between nations and
a blurry jurisdictional framework favors the criminal groups. Even the enforcement of existing
laws, especially across national borders, can be difficult. Based on this dynamic, intellectual
property legislation has limitations and exclusions.
Government agencies often lack the necessary resources to effectively pursue organized
criminal syndicates that operate globally. Language barriers, cultural differences, greatly
varying levels of development, and geopolitical factors contribute to some of the barriers to
consistent enforcement. Furthermore, the rising levels of sophistication of criminal syndicates
coupled with the resulting complexity of their crimes pose difficult, sometimes insurmountable
challenges to law enforcement agencies.
International collaboration between governments to address digital crime is another area
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 72
of concern. “There are currently no international law enforcement agencies (LEAs) tasked with
carrying out cyber-crime investigation, nor does there appear to be an appetite amongst nation
states to create one” (Bryant & Bryant, 2014, p.114). Recent data is trending toward a transition
from organized crime’s diminished role in drug sales and a movement toward piracy and
counterfeit goods. Most troubling is the fact that piracy, with its high profitability and uncertain
enforcement by government and law enforcement officials, is a valuable source of revenue for
terrorist networks (Hamade, 2010). According to the Motion Picture Association (MPA)
international division’s 2005 report, “criminal revenues from intellectual property theft were
estimated to have reached $512 billion in 2004, compared to $312 billion from drug trafficking”
(McDonald, 2007, p. 190).
Network Dependence. The powerful emergence of the Internet as a medium of
communication and commerce has altered the framework of piracy. Prior to the Internet, most of
pirated activity involved the physical movement of disks, tapes, or reels. But with the addition
of a technology-based infrastructure and its vast network of global links, the Web provides an
added layer of efficiency for industrialized piracy. The distribution network on the Internet has
few boundaries. The Internet and strong dependence on networks have provided a virtual
existence of pirated material and allowed for the transfer of content globally (McDonald, 2007).
Criminals are elusive under the veil of Internet anonymity. The need for storage space, overhead
costs, and costly transportation to sales outlets is no longer a requirement to distribute pirated
movies and other counterfeit goods. Rather, virtual crimes become the established practice,
leveraging existing technology infrastructure and file sharing applications.
A Peer-to-Peer (P2P) network is a file sharing tool that allows groups of users to access
hard drives, information, files, or resources. This technology provides for convenient sharing of
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 73
legitimate information and resources while simultaneously providing an outlet for deviant and
often illegal behavior. “Investigations have shown that these P2P networks, originally created
for legal purposes, are heavily utilized to exchange illicit files such as child pornography and
copyrighted material” (Fagundes, 2009, p. 52). File sharing software has also been linked to
pirated, pre-released movies and widely publicized music theft. Since both computers and P2P
software have a multitude of legitimate uses, the prohibition of or limitation on one’s ability to
use them for illegal purposes is not viable. Enforcement of such activities is difficult and
complicated further by the lack of international cooperation by government agencies to combat
it.
Decreasing Reproduction Costs. Optical disc piracy, or illegal DVD duplication, is now
faster and more efficient with newly created technology. While costs, quality deterioration, and
storage requirements stabilized the rise of pirated VHS tapes, the opposite has occurred with
DVD duplication technology. Commercially-sized operations illegally duplicate and distribute
these discs worldwide. These operations are lucrative and can be scaled efficiently. They are
often well-organized, have sound leadership, and are managed effectively; sometimes their
business practices mirror the legitimate competitors. Some of the counterfeit versions are sold
on the black market as cheap versions en masse with nondescript packaging in attempts to
conceal it. In other cases, the box art and images are replicated to compete on the open market –
as the “real” product. Many of these clandestine operations produce such high quality pirated
versions that they eventually surface within the mainstream market unbeknownst to the
consumer or legal distributor.
Counterfeiting. In many cases, the illegal, counterfeit versions enter the mainstream
supply chain and distribution networks, comingling with the authentic property. This integration
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 74
is sometimes intended and the authorized distributor does not realize that he is selling pirated
copies. As a result, legitimate sellers are often targeted by misdirected enforcement campaigns.
With the cheaper technology of both the discs themselves as well as the duplication equipment,
law enforcement has begun to discover smaller, independent illegal operations. Cheaper
technology and readily accessible equipment led to the establishment of numerous small-scale
operations by relative amateurs (McDonald, 2007). With today’s speed and efficiency,
documents can be reproduced and disseminated in their entirety with ease, convenience, low
cost, no degradation of quality, and no downside to the distributor to broad consumer base.
Although digital property theft is the primary discussion in this chapter, counterfeiting
production of proprietary products can have broader consequences than just negative financial
impacts. If the digital code for the production of proprietary, customized parts is accessed by
counterfeiters, public safety can be jeopardized since the counterfeiter produces the items with
lower quality materials. For example, illegal aircraft parts trade has been widely studied as a
result of such concerns. In 1989, a Norwegian plane crashed into the North Sea, killing fifty-five
passengers. It was later determined that counterfeit bolts loosened and were the cause of the
engine failure (Chaudhry & Walsh, 1996). Critical parts used in government infrastructure
projects, public transportation, or bridges are not exempt either from the safety risks associated
with faulty, counterfeit parts and equipment.
Case Study: Movies
Piracy impacts many industries and sectors around the world but the movie and
entertainment industry provides a valuable foundation for that discussion. To illustrate how
expansive and pervasive piracy has become, movie piracy serves as an appropriate case study.
There are four types of movie piracy: physical theft, camcording, illegal duplication, and
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 75
unauthorized web distribution. These are important to define. As we shall see, each of these
methods has been greatly transformed in recent years. Advancing technology has provided
considerable options for growth.
Physical Theft. The first type of piracy is the theft of work prints or post production loss.
Most often this occurs when a film is taken from a production library, a movie theater, or a
courier. The theft is frequently linked to an insider – an employee or vendor. Although this type
of theft has occurred for nearly a century, there were inherent practical challenges to the process.
For example, an entire movie might require dozens of reels to store it. The theft would be easily
detectable by other employees, closed-circuit television cameras, guards, or scanning equipment
at exit doors. The theft of multiple movies or libraries of movies might actually require more
than one person acting in concert and even potentially requiring industrial moving equipment to
remove it from the studio. Contrast those traditional methods with contemporary options. New
methods of storage which have unfathomable memory capacity allow this content to be movable,
transient, and conveniently hidden by the perpetrator. Memory sticks, flash drives, and compact
hard drives can store terabytes of information. These storage devices are widely accessible in
retail and online establishments and are inexpensive. For example, a one terabyte storage device
can store over one thousand movies depending on length and resolution and generally costs
under $100.
Camcording. The second method of piracy is the result of “camcording” or videotaping
of films at premiers and then distributing a bootleg copy via the Internet or black market
distributors. This method has practical challenges as well. Older model video recording devices
were big, bulky, and heavy. They cannot be easily concealed inside a theater. Once deployed
during a movie, violators would often be reported to theater personnel. Furthermore, due to
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 76
resolution limitations on the recording device coupled with lighting challenges inside a dark
theater, the end result was a very low-quality version of the movie. This low quality, amateur
version had modest or nominal value in marketplace. Those interested in seeing the movie
would frequently pursue legitimate opportunities for viewing it for higher quality resolution and
a more appealing experience.
Advancements in technology have changed the environment. Today’s video recording
devices are a fraction of the size, can be easily concealed, have superior quality resolution, and
are widely available in the market. Additionally, these devices are simple to use, have a long
battery life, and can be deployed inside a movie theater covertly.
Unlawful Duplication. The third method involves the unauthorized duplication of
optical discs and resulting unlawful commercial distribution. Most pirated copies are sold to
street vendors, open air markets, or Internet auction websites. Previously, these blank discs were
expensive and delicate to manage. Damage due to scratching was common. Frequently the
duplicated copy was not the equivalent level of quality since subtle deterioration occurred during
the process. The duplication equipment was not readily available on the open market and often
required specialized knowledge and training to operate. Generally, only movie insiders had
access and knowledge of the required infrastructure to perform these illegal duplications at any
worthwhile profitability level of scale.
Newer technology currently available allows even the novice to duplicate discs at a
fraction of the cost. Large-scale operations are now able to duplicate, distribute and reach
expansive markets.
Unauthorized Web Distribution. The fourth method is distribution of unauthorized
movies or portions of movies via websites on the Internet. Just thirty years ago, the Internet as
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 77
we know it today did not exist so the digital distribution of illegal content is a relatively new
phenomenon. The World Wide Web, cloud computing, offsite data storage, highly developed
and sophisticated data centers, and lighting fast global network infrastructure are examples of
how technology has changed the rules of content protection. It has opened a vast array of
opportunity for illegal distribution. This growing and constantly expanding technology has
paved the way for efficient distribution of pirated content. The Internet now reaches many more
countries around the world, creating a very efficient medium to respond to global demands.
Content can be transferred almost instantaneously with global reach.
Industry Strategies to Reduce Piracy
The entertainment industry, among others, is scrambling to find solutions. Legislative
action to create mechanisms of enforcement and technology-based tools such as Digital Rights
Management (DRM) and watermarking are the primary strategies. Stronger legislation to enable
more aggressive enforcement by law enforcement has demonstrated limited success thus far and
still faces an uphill battle. The Digital Millennium Copyright Act (DMCA) was developed in
1998 to impose injunctions on illegal duplication and electronic circumvention methods of
creative properties. Legislation such as this, though it faces challenges, appears to be a positive
step forward and it underscores the policy challenges of digital content protection.
The DMCA is difficult to enforce for a variety of reasons. The law was developed in the
United States but it faces difficult jurisdictional challenges since it rarely has the reach to impact
global piracy when much of it is actually occurring overseas. In the instances when the illegal
activity is occurring within the United States where the DMCA might provide a meaningful
foundation for prosecution, lean law enforcement resources are often engaged elsewhere.
Federal law enforcement resources are allocated toward global terrorism and violent crime in
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 78
larger proportions compared to intellectual property theft and content protection initiatives. As a
result, these laws have not had the strong impact many had envisioned.
However, legal efforts must be a part of a more comprehensive strategy. Technology-
based tools are also important. “The risks associated with the digital distribution of content have
proven to be a strong incentive to develop a broad array of technologies to deter illegal copying”
(Bloom & Cox, 1999, p. 1275). Examples of these technologies include DRM and
watermarking. DRM systems are categories of technology which aim to limit the consumer’s
ability to duplicate property and prevent its illegal distribution. This is done through a
technological mechanism on the product itself to secure it by prohibiting its duplication and
preventing the user from converting it into other formats. The conversion into other formats
allows the content to be duplicated. In theory, this tactic would give the creator full power over
their work. The approach has been largely ineffective. The larger, illegal distribution networks
and fraudulent operations have the sophistication and the resources to circumvent these security
features. “In practice, however, DRM has been a uniform failure when it comes to preventing
piracy” (Hoffman, 2009, pg. 17). Making matters worse, the individual consumer, rarely the
target of such enforcement since their role in revenue loss is so negligible compared to organized
crime, find DRM to be restrictive and cumbersome. Digital rights management systems are
designed by producers with commercial interests and they generally do not consider the end-user
perspective (Jajodia, 2004).
Watermarking is used to prevent unauthorized duplication of content. The process
secretly embeds a digital signature or fingerprint into the file so that when it is duplicated a
copyright protection stamp becomes visible (Collberg & Thomborson, 1999). Watermarking is
most commonly used to prevent camcording inside movie theaters (Dubey and Kuman, 2014).
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 79
This strategy is also imperfect. Highly sophisticated IT professionals have been able to
circumvent this by locating the secretly embedded file and deleting it.
Conclusion
New technology and the global economy have created a challenging environment for the
future of anti-piracy efforts. Traditional approaches such as new legislation, increased
enforcement, and support for collaborative partnerships have not been able to demonstrate
reliable results. In recent years, noted economists and academics have added new momentum to
this dialogue by suggesting that the creative industries must proactively change their philosophy.
Some believe that a realignment of traditional marketing, pricing, and distribution should be
thoughtfully considered. As Lessig (2008) noted, “though this instinct can’t be justified as a
matter of (at least today’s) law, it is the essence of practical reason in the digital age: if you
don’t want your stuff stolen, make it easily available.” If creators and companies provided
content more freely (not necessarily at zero cost), they can determine the licensing terms,
strategically tailor their branded marketing schemes, tap unrealized revenue, and limit the misuse
of their intellectual property. “Digital technology will enable market support for a much wider
range of “free” content than anyone expects now (where “free” simply means without charge);
and digital technologies will continue to resist models that depend upon the heavy policing by its
owner to protect against “unauthorized use” (Lessig, 2008).
Piracy and counterfeiting are policy issues with a long history dating back centuries. We
are in a transformative era in time defined by dynamic technology, the expanding use of social
media, explosive data storage capabilities and general uncertainty. While the long-term solutions
to end piracy and counterfeiting are not clear, security practitioners and policymakers should
focus on the following list of practical strategies to curb the amount of piracy occurring:
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 80
Computer-Level Controls. Organizations that manage large amounts of data or content
should conduct a comprehensive assessment of accessibility allowances. The objective
of the assessment is to determine how the protocols governing access to unreleased
footage or proprietary content are configured. Increasing restrictions and limitations of
access will mitigate risks associated with unintended disclosure. Confidential data should
be partitioned from those who have no business justification to view it.
Watermarking. Industry leaders generally concede that illegal reproduction and
distribution of protected content is an unfortunate reality. Although technology creates
more opportunities for unlawful activities, it can also be a valuable preventive tool.
Inserting a virtual fingerprint or barcode onto the content itself will reduce the
occurrences. Technologists should continue to pursue creative and innovative ideas to
“lock” protected content and reduce its unlawful distribution.
Collaboration. Content protection is a global policy challenge that requires a holistic
approach. To that end, coordination amongst a diverse set of stakeholders around the
world should be a fundamental effort of both practitioners and policymakers. While anti-
piracy legislation clearly has its limitations, the collective engagement of multiple entities
should be an essential strategy.
The music and video game industries highlight two divergent approaches. Traditionally,
music has been among the most visible example highlighting the difficult balance of using
technology to increase accessibility. The collective industry continues to make efforts to restrict
and limit release of musical content, still placing a high priority on enforcing existing laws.
Record labels often equate more accessibility of their products with a decline in sales, thereby
reducing the incentives for artists to release new songs. Market research and Internet sales are
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 81
pointing otherwise. “The speed and convenience of the Internet-based distribution system are
surely socially beneficial” (Fisher, 2004). By contrast, online video game companies have found
market success in allowing users to download the base level game for free and without requiring
any specialized hardware to play it (known as the “Freemium” model). They generate revenue
from advertising, retail and online merchandise sales, and micro-transactions for in-game
accessories and tools. Finding a way to change the rules, increase accessibility, and deviate from
traditional marketing methods just might hold the answer to dismantling piracy.
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 82
Chapter 6 - Online Radicalization
New technology has changed the way that companies operate, the ways in which we
communicate, and the ways that we interact. Global terrorist groups now have new tools
allowing them to reach a larger audience. They can recruit new supporters and strategize their
efforts more effectively using the Internet as a tool. The online environment provides a virtual
community allowing people of common interests in geographically disparate locations to share
ideas, create messaging, and raise funds. “Radicalization is the process through which
individuals identify, embrace, and engage in furthering extremist ideologies and goals”
(Southers, 2013, pg. 53). Alternatively, radicalization is the process of developing extremist
ideologies and beliefs based on a repeated exposure to extremist propaganda (Powers, 2014).
The Internet provides a convenient and efficient mode of information distribution and transfer.
Online radicalization will continue to create an avenue for terrorist and extremist
subgroups to increase support and find willing sympathizers. “There seems to be a strong
consensus among different government departments and agencies as well as independent
analysts and experts that the growing importance of the Internet in radicalization is the single
most significant innovation to have affected homegrown radicalization since the 11 September
attacks in 2001” (Neumann, 2013, p. 432). Extremist groups can exploit the Internet to cast a
wider net for recruiting. They now have convenient access to highly sophisticated networks for
the dissemination of propaganda.
The process of online radicalization is incremental and evolutionary. No single
sociological or psychological theory can explain radicalization (Southers, 2013). This
complexity makes response strategies by federal law enforcement and U.S. intelligence agencies
more challenging. Rapidly advancing technology, such as increasing Internet bandwidth and
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 83
increasingly sophisticated networks, underscores the complexity of their efforts. Online
radicalization exploits the Internet for recruitment and gathering intelligence. Although it is
distinct from terrorism, radicalization can be a precursor to one committing violent acts in
support of their beliefs. As a result of the direct link between radicalization and terror, the two
are often studied and discussed in the same context. Paradoxically, technology is at the core of
the problem but must simultaneously be leveraged as part of a global comprehensive strategy to
combat terror. This chapter discusses how and why online radicalization has only recently
emerged and how new technology has created an opportunity for extremist groups to promote
their message more effectively.
Background
One of the first extremist movements to strategically utilize the Internet effectively for
outreach was the white supremacists (Bowman-Grieve, 2013). “Since their views are widely
rejected by mainstream media, White Supremacist groups often turn to alternative forms of
media, especially the Internet, to get their message out” (Berlet & Vysotsky, 2006, pg. 14). Prior
to using the Internet, their target audience was dispersed and decentralized. The ability of white
supremacists to create a cohesive message that could be effectively marketed to a cross-section
of people was an ongoing challenge. Geographic distance made the sharing of ideas, meeting
with like-minded people, and recruiting new supporters difficult because it required people to
travel. Suddenly technology bridged the gap by allowing those activities to occur virtually.
Online forums, blogs, and chat rooms became essential tools of information distribution. They
were able to recruit new members, create a more cohesive leadership structure, and distribute
resources to a wider group (Holt & Bolden, 2014).
Many of the supporters had unyielding views about white power but never intended to
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 84
carry out violent acts. As a result, their rhetoric, propaganda, and communication were generally
protected by the First Amendment of the U.S. Constitution. One member of the radical right
virtual community Stormfront stated, “It was the Internet that got me interested…I got contacts
and then was able to meet up with like-minded people in the flesh…it all just grew from there”
(Bowman-Grieve, 2013, p. 2).
As technology and Internet infrastructure improved and bandwidth grew, their efforts to
recruit became highly strategic and precise. New technology paved the way for their expansion.
Data findings which validate this growth are more qualitative than quantitative because typically
these subculture groups do not trust academic and institutional research efforts (Adams &
Roscigno, 2005).
The white power extremists targeted particular demographic groups, primarily young
males, to increase their visibility and gain a following. They executed this process with
deliberate strategy and structure. For example, White Power music, white supremacist video
games, and online dating services were used to recruit new members in the online environment.
The white supremacist movement serves appropriately as an introductory example for this
chapter to explore the following questions: Why is technology an effective tool for global terror
groups? What are the stages of radicalization? What are the mechanisms of online
radicalization? What strategies can be used to counter it?
Technology’s Role in Radicalization
New Tools. The increasingly global economy has linked countries for economic trade
and growth, while simultaneously providing a better network for terrorists. The advancements
have allowed them to effectively recruit, communicate covertly and mobilize in sophisticated
ways. Social media and the instant distribution of information via the Internet provide additional
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 85
tools for terrorist groups to spread their message, establish a credible following, politicize their
actions, and validate their ideology. Knowledge and data are transformative and technology
provides the path. “Media and in particular social media are an important tool for the
propagation of the relationship between religion and terrorism” and “the online environment has
proven to be a salient institution for terrorism” (Torok, 2013, p. 3).
Advancement of Internet Capabilities. The Internet possesses particular traits and
nuances that can be utilized very effectively to mobilize support for a belief or movement. The
capabilities of the user have progressed in meaningful ways. Different phases of technological
implementation have occurred over the past 25 years. Each one has seemingly created more
complex layers of security concerns (see Figure 1 below, adapted from Neumann, 2013, p. 434-
435).
Static Websites. These were the first type of website which originally gained mainstream
attention in the 1990s (Neumann, 2013). Static websites served as online resources and
content delivery models that were not subject to typical media and journalistic editing.
They served as a repository for content that the author wanted to share. There was no
capability to interact with the reader and updates were the responsibility of the website
host.
Forums and Blogs. The forums were the earlier versions of virtual meetings and town
halls. These allowed for multiple participants to view content, comment, and paste
Static
Websites
Forums
& Blogs
Multimedia
Products
Social
Networking
Production
& Editing
Tools
Smart
Phone
Revolution
FIGURE 1
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 86
additional documents. Most the participants remained anonymous or used pseudonyms
and as a result felt more comfortable debating topics and engaging in divisive topics.
Multimedia Products. In the early 2000s, the first use of videos on the Internet happened.
The primary trigger was the expanded bandwidth by Internet Service Providers which
allowed for quality video content to be distributed. “For supporters of Al Qaeda, for
example, clips from jihadist battlefronts such as Iraq and Afghanistan –depicting suicide
attacks, improvised explosive device (IED) explosions, and beheadings –became
essential viewing that spurred debates and generated constant excitement” (Neumann,
2013, pg. 434).
Social Networking. Social networking and the first examples of user-generated content
emerged shortly after the multimedia era. Often referred to as Web 2.0, this allowed for
more prolific video sharing, mainstream blogging, instant messaging tools, and social
networks. Social media sites like Facebook and Twitter allowed for more advanced
networking, social linkages, and sharing of content within established circles. “Through
social media, ISIS speaks directly to the youth it is targeting for recruitment, using the
medium that works best for these youth” (Greenberg, 2016). This led to a dramatic shift
and allowed extremist groups to distribute propaganda, recruit globally, and exploit the
advancing technological landscape to craft a marketing campaign of sorts to generate
support.
Production and Editing Tools. The addition of inexpensive software editing tools
provided additional opportunities for groups of all types, whether extremist or not, to
advance their agendas via online content. Self-generated content allowed users to
become more adept at creating and posting their own content such as videos and
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 87
interactive media. This included professional looking videos, movies, and
documentaries.
Smart Phone Revolution. This contemporary era is characterized by active user-
generated content, a robust network of social networking offerings, and even extremist-
produced apps with elaborate instant messaging and other highly efficient mediums of
communication believed to be vital for global fundraising (Neumann, 2013). This
allowed users, who were not directly linked or affiliated with extremist groups, to video,
edit, splice, share, and manipulate existing web content and distribute it freely.
This transformation explains how rapidly-advancing technology creates more opportunities for
extremist groups to grow and for the radicalization process to become a bigger concern for
government and law enforcement officials.
The speed and bandwidth of the Internet has opened unbounded access to content and
data. Although the radicalization process is generally one which occurs incrementally and over a
period of time, the speed and efficiency of the transfer of information over the Internet has
provided a foundation for quick action and immediate feedback. The delivery schedules of the
U.S. postal service meant several days before information could be distributed. Online tools are
instantaneous. Gathering larger groups in one central meeting spot took coordination and
logistics. Blogs and chat rooms are immediate. The impracticality of old methods often created
boundaries and delays, and organically diluted efforts of these movements. Bowman-Grieve
(2013), stated the following:
Terrorist use of the Internet and the communicative value the use of this
technology brings, are wide ranging and far reaching. In essence the Internet
provides a new solution to the old problem of communication; where once
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 88
terrorist movements were reliant on ‘traditional’ forms of media to bring their
‘cause’ to the public, the Internet now facilitates a broad spectrum of
communication possibilities, from websites to virtual communities (p. 2).
Social media have created a dynamic and instantaneous system for exchanging ideas. Additional
characteristics of the Internet are covered later in this chapter in the Mechanisms of Online
Radicalization section.
Shift from Institutional Meetings. The typical use of institutions such as churches,
private clubs, and training camps to recruit new supporters is more difficult because of their
public visibility. Anti-terror efforts are becoming more multi-tiered and now involve community
outreach and confidential informants. Law enforcement has become more proficient in
monitoring and infiltrating such operations to seek out extremist groups and individuals of high
risk. Some of these strategies by government officials have been effective and violent extremists
have been questioned or jailed. Given these strategies, other modes of communication for the
purposes of recruiting, fund raising, propaganda, and general information flow are centered
closely around the use of the Internet to avoid detection.
Interactive Institutions. The Internet has filled the role of a new institution in our
society. Similar to churches, prisons, mental hospitals, and schools, the online environment can
serve as a structured, consistent, and predictable environment in which people may interact.
Also referred to in some research as a ‘virtual community’, it provides a ‘safe haven’ for
supporters of extremist ideologies, a forum of validation and support and the means to become
knowledgeable and engaged in the movement (Bowman-Grieve, 2013). These new institutions
or virtual communities can play a powerful role in shaping behavior, guiding one’s principles,
and creating belief systems.
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 89
The Internet, in contrast with the other examples above, is unique though. Indeed, it
possesses some characteristics of a typical institution but it has far fewer boundaries and unclear
behavioral expectations, and removes non-verbal communication as a core component of human
interaction. If nobody challenges certain beliefs, they can become more accepted within the
group. “The online environment becomes a self-imposed institution, whereby individuals
become isolated in terms of developing rationalities” (Torok, 2013, p. 2). This online influence
can be isolating for some individuals. In researching past terrorism or extremist violence cases,
links to online engagement pre-event were almost always present. For example, Faisal Shahzad,
the accused Time Square bomber, and Nidal Hasan, the Fort Hood Killer, were both considered
loners and quiet but that their sole social interaction was Internet usage (Torok, 2013).
Stages of Radicalization
There is a distinction between terrorism and extremism. Terrorism is the unlawful and
politically motivated use of violence to cause harm, generally through fear (Martin, 2011).
Violent extremism refers to ideologically motivated violence in pursuit of political goals (Power,
2014). Violent extremists typically target a specific government, organization, or person to force
desired changes but their actions do not necessarily intend to instill long-term fear in society, a
notable and unique characteristic of terrorism. Radicalization does not require a person to carry
out an act of violence; it’s the process of shifting attitudes. Some individuals who have been
radicalized support the efforts of terror groups in ancillary ways like propaganda and financing
but never resort to acts of violence themselves.
Though the study of online radicalization is relatively new and the body of research is
still evolving, there is an existing process which is important to summarize. In most case studies,
the evolution is incremental and the sequence is predictable. There are three stages of online
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 90
radicalization: motivation, indoctrination, and group membership (Mastors & Siers, 2014).
The journey of radicalization begins with motivation. Motivation can be caused by a
variety of factors and contemporary literature is not always in agreement. But generally
speaking, there are overlapping examples such as frustration, disengagement, moral reasoning,
excitement, the search for ultimate meaning, humiliation revenge, moral outrage, perceived
injustice, and the need for belonging (Mastors & Siers, 2014). Southers (2014) stated that
radicalization starts with a personal grievance from a particular event or experiences which
makes them more susceptible to accepting the extremist ideology. Given these factors,
recruitment efforts typically focus on young males who might be socially isolated, disconnected,
and disenfranchised from society. Radicalization can fill psychological gaps and insecurities.
One of the most effective ways at reaching candidates fitting this profile is online. Tobok
(2013, p. 2) asserted, “In recent years there has been an increasing reliance on Internet
technologies primarily because they allow good targeting of marginalized individuals,
anonymity, and decentralization.” Recruiting efforts have become highly sophisticated and the
exploitation of the Internet as a tool to seek sympathizers, rally support, and distribute targeted
content will remain on ongoing challenge for policymakers (Southers, 2014). The exploration
into terrorism and extremism with like-minded voices of influence can often provide a sense of
belonging and value.
If the messaging is effective and the targeted individual is open to such teachings, the
process of indoctrination occurs. The indoctrination process occurs over a long period of time
and is evolutionary (Bowman-Grieve, 2013; Neumann, 2013; Southers, 2013; Powers, 2014;
Mastors & Siers, 2014). The process often takes many months or even years. Indeed, the
Internet enhances this process by creating opportunities for the repeated exposure and
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 91
exploration. Over time, the recruited individual is able to deepen his or her understanding of the
extremist philosophy. They also gain a sense of affiliation with the group.
Online tools bring like-minded people together. The individual’s norms and values can
change with the appropriate leadership and influence. The concept of ‘groupthink’ can be
defined as a way thinking that people engage in when they are deeply involved, feel a strong
sense of connection, and, as a result, they display an inability to consider alternatives (Janis,
1972). In the case of terrorist teachings and violent propaganda, rationalization and
legitimization are continually validated, eventually earning the commitment and dedication of
group members. If the target is vetted and has been indoctrinated properly, the recruit is
approached to join the group, which signifies group membership (Mastors & Siers, 2014). All
three phases of the radicalization process utilize technology-based methods, the Internet central
to the strategy. The approach is highly structured. The repeated exposure becomes significant to
the process. In order for their efforts to be compelling and influential, there are multiple
mechanisms of online radicalization.
Mechanisms of Online Radicalization
How terrorists use technology to promote, support and capture allegiance has become a
more widely studied phenomenon in recent years. Emerging technology and the Internet has
created many opportunities for terror groups to spread propaganda, recruit new membership, and
enhance their standing with existing supporters. Increasingly, we are seeing more links between
radicalization and the strategic use of the Internet. Neumann (2013, p. 436) summarized the
following six processes and dynamics of interaction:
1. Mortality salience
2. Sense of moral outrage
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 92
3. Extremist forums as criminogenic environments
4. Online disinhibition
5. Mobilization through role-playing
6. Links into terrorist networks
Mortality Salience. Researchers cannot conclude that any single exposure to graphic
violence can transform a person into committing an act of violence or terror. However, the
prolonged exposure has shown that, in some cases, persons susceptible to such ideology could be
influenced. As a result, the ongoing and recurring exposure can lead to the rationalization of
violence, the legitimization of extremist teachings, and the desensitization of one’s view of
death. This process, as defined by Tom Pyszczynski, is called ‘mortality salience.’ He stated
(2006, p. 435), “The constant exposure to discourses about martyrdom and death—combined
with videos of suicide operations and beheadings –can produce an overpowering sense of
mortality and general support for terrorist, brutal activity.” Mortality refers the his or her
willingness to die for a greater cause since their efforts support their ideology.
Moral Outrage. This occurs when prolonged exposure to videos and narratives of the
conflict zones of war generate a strong emotional response. These types of images often depict
war atrocities, alleged unjust treatment by Western troops, and other violent depictions which
create a sense of moral outrage. For example, when online narratives about the mistreatment of
civilians by U.S. military troops are widely covered, those stories are distributed to extremists
around the world. These stories are then exploited to rationalize and legitimize extremist
violence as a reaction. They trigger a revenge motivation and evolve into the mobilization of
violent action (Sageman, 2008).
Extremist Forums. This theory, as asserted by noted criminologist Edwin Sutherland
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 93
(2012), is based on the notion that, over time, people who interact with others of similar belief
systems within forums, chat rooms, and other online applications become socialized to the
message and the culture of the larger group. When this happens, repetitive messaging by leaders
becomes normalized and extreme views or positions transform the individual. Words and beliefs
initially thought to be extreme or even irrational gradually become more internally mainstream
and ultimately validated. Neumann (2013, pp. 436-437) stated:
Without the Internet, you might have a few people in a community with a very
extremist view, but there wouldn’t be anybody else who shared their view. They
might come to the conclusion that these extremist views are wrong or incorrect or
kooky. With the Internet, they can always find others who share their views.
Suddenly there is [an entire] community that says, “You’re not crazy, you’re right.”
That’s very powerful.
Online Disinhibition. The Internet provides a sense of anonymity for users. Users can
post outrageous claims to seek validation from others with little risk. The online environment
allows extremists to seek approval and measure potential support. One can create a virtual avatar
of themselves and craft and convey thoughts that they do not initially believe. The anonymity
allows people to hide their true identities and act out fantasy roles. “The more isolated from their
society they become, the more their optimistic fantasies go unchallenged” (Richardson, 2006, p.
99).
Threats and assertions can be posted on forums and chat rooms with no oversight or
boundaries. Behavioral norms and established rules of communication in face-to-face group
settings are not applicable in online forums and chat rooms. Nonverbal cues, an integral facet of
communication, are absent from the online world. Extreme positions can be posted freely.
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 94
Online dialogue can be effective in socializing impressionable participants. A similar dynamic
occurs within social media chat environments in which people often communicate with others
with whom they have never met. As a result, messaging and posturing can be more polarized
and vehement and this type of behavior can spill over into offline actions (Suler, 2004). The
implication being that one’s values can develop and evolve over time based on repeated online
exposure leading to them taking action outside the social media environment in pursuit of their
ideology.
Mobilization through Role Playing. Marginalized or socially isolated individuals can
live out an ideal illustration of themselves. They can project traits and attractive qualities which
they actually do not possess (Neumann, 2013). Sometimes, however, the gap between their false
identity and reality can be painful or depressing. In some cases, these marginalized individuals
feel like they can compensate for their inferior or unattractive qualities. A very select few might
choose to reconcile that gap and carry out violent actions in the real world (Neumann, 2013).
Links into Terrorist Networks. The online environment creates a network of social
interaction. The Internet provides a platform for like-minded people to reach each other in ways
once not possible. It serves as a platform and a conduit for influence. It provides a gateway to
common views and collaboration among groups. As the use of the Internet spreads
exponentially around the world, technological infrastructure advances, and bandwidth
capabilities continually grow, online radicalization will increase. Previously, if people had
extremist views, they might gather small support. Those movements were often short-sighted
and their efforts were minimized or devalued by others around them with differing viewpoints.
Over time, these subgroups would lose their power and influence. Their efforts would likely fail.
“For many terrorist groups, the Internet has come to be more than just a platform on which they
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 95
present their ideas: It is a center of gravity, holding together disparate and often unconnected
people in different cities, countries, sometimes even continents” (Neumann, 2013, p. 450).
Prior to the use of the Internet, reaching supporters around the world was impractical and
costly. If there were similar efforts or consensus among other subgroups in other regions or
countries, there was not a practical way to reach them. The mobilization of these groups was
costly and geographically impractical. Extremist groups struggled to create a cohesive message
and therefore were not able to rally enough sustainable support.
Peer groups play an important role in developing terrorist views. Although people
choose to become involved in extremist activities for a wide variety of reasons and first-hand
empirical evidence is limited, the influence of peer groups as part of this socialization process
has become a recognized theme. A 2003 research study which involved interviews with
incarcerated Middle Eastern terrorists found that peer influence was cited as a dominant reason
for joining a terrorist group (Bowman-Grieve, 2013).
Countering Online Radicalization in the United States
Extremist groups have embraced technology to advance their causes. The U.S.
government and its allies can counter their efforts with a comprehensive strategy. There are
three primary strategies to reduce online radicalization in the United States today. Those are
reducing the supply of information, reducing the demand, and exploiting the Internet for
intelligence gathering.
Reducing the Supply. To reduce the supply of content available on the Internet as a
strategy to combat online radicalization is complex and challenging for two reasons.
First, the Internet, like other media of information distribution, is protected by the First
Amendment of the U.S. Constitution. While there are certain examples of exceptions and
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 96
exclusions to those First Amendment protections (not covered in detail in this chapter), efforts to
remove or reduce the availability of extremist rhetoric should not be the primary aim of U.S.
government anti-terror policy. Second, the U.S. is known worldwide as a strong advocate for
freedom of speech and the protection of individual rights. “In its foreign policy, the United
States has become a global champion of Internet freedom and the free flow of information, with
former Secretary of State Hillary Clinton repeatedly speaking out against electronic curtains,
firewalls, and other kinds of online censorship in countries like Syria, North Korea, China, and
Iran” (Neumann, 2013, p. 438). Constitutional free speech protections are broad and extensive.
As a result, agreeing on established criteria of what ought to be policed on the Internet would be
difficult. Additionally, a formalized process to remove or restrict harmful content or certain
websites would be subject to judicial oversight and review, creating an entirely new set of legal
obligations and associated political fall-out. Monitoring and addressing the large amount of
content posted daily to the Internet would be costly and laborious. The monitoring of static
websites might be manageable at some level but so much of web content now flows within
dynamic platforms—blogs, forums, instant messaging, chat rooms, and user generated posts and
re-posts. The process of creating dynamic content online is occurring all day, every day seeing
exponential growth and measured in levels of gigabytes of data. The most challenging aspect of
reducing the supply is that the dynamic and interactive platforms are thought to be the most
active sources of extremist content and the essential tool for online radicalization to occur
(Neumann, 2013). Given these circumstances, the U.S. government foreign policy, long
established law and legal protections, the censoring, removal, or take-down of this type of
harmful content would not be a viable or effective strategy.
Reducing the Demand. In the previous section, it was argued that efforts to reduce the
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 97
supply of extremist and violent content are ineffective. The essential step to reduce the quantity
of extremist content and to effectively counter online radicalization can be achieved by creating a
virtual online community which promotes values such as democracy, freedom, and tolerance,
among others. If done effectively, it might weaken the extremist messaging, violence, and
terrorism content.
The existing freedom and unclear boundaries of the Internet have allowed many more
voices to be heard. Those once silenced by marginalization, media filters, and restricted access
to content media and distribution networks now have an opportunity to disseminate their
message. “The Internet turned the situation on its head: It gave everyone access, reduced the
cost of publishing to virtually zero, and eliminated the reliance on journalistic middlemen”
(Neumann, 2013, p. 444). As a result, there are many more choices for content on the Internet.
Websites that counter extremist positions and debunk terrorist propaganda could be effective
tools to weaken the harmful impact.
Strategies for reducing the demand can be organized into five categories (as outlined by
Neumann, 2013): creating awareness, building capacity, counter messaging, engagement, and
promoting media literacy. First, creating awareness is the process of utilizing offline efforts to
promote a peaceful message. The core objective of this initiative would be to mobilize support
within diverse communities. The aggregate of these communities could be powerful forces in
countering terrorism. Government, intelligence agencies and law enforcement depend on
community groups, religious organizations, and partnerships for investigations and crime
suppression. Internet safety workshops, community meetings, and school presentations hope to
reach young people to inform and educate them about terrorism. These outreach programs create
understanding, promote awareness, and solidify open lines of communication.
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 98
Second, the concept of building capacity requires that outreach occurs not just with U.S.
citizens but also with international visitors and foreign audiences. This can occur through
community meetings, online forums, chat rooms, and blogs. The outreach aims to promote
enthusiasm among prominent and widely respected groups with the intent that they will help to
reinforce these messages to peers in their communities. Essentially, they should act as
ambassadors of democracy and peaceful government processes.
Third, counter messaging involves the direct messaging to disprove, devalue, and
diminish the impact of the extremist agenda. This type of messaging can utilize some of the
same channels that the extremists use, such as chat rooms, Facebook groups, Google groups,
YouTube posts, and blogging. Research indicates that the government is not the most effective
direct conduit of such messaging but rather an enabler for other community groups to
disseminate and distribute such content (Neumann, 2013).
Fourth, research indicates that direct engagement and discussion with these extremist
groups in their online environment to address falsehoods and conspiracies is a necessary strategy.
There are challenges and uncertainty in determining how the U.S. government might be able to
do this within appropriate legal, ethical, and political boundaries.
Fifth, the promotion of media literacy within schools is an essential long-term strategy to
combat extremism. Currently, many schools have Internet safety training surrounding other
harmful warnings about online predators and identity theft. Creating awareness and knowledge
surrounding extremist content would also be helpful. Students should be trained in the proper
use of the Internet for searching, understanding some of the pitfalls of searching online, and how
to critically evaluate research on the basis of its validity and credibility. User-generated and
dynamic content, as previously discussed, continue to be the most troubling and concerning
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 99
characteristics of the Internet since they are the most difficult to track and monitor.
Exploiting the Internet. Technology is providing terrorists with a valuable tool while
simultaneously providing intelligence agencies and law enforcement with investigative leads. As
technology grows (e.g., Internet bandwidth, content transfer efficiency, robust software
applications, etc.), it is anticipated that terror groups will continue to utilize the Internet as a
means for recruiting, dissemination of content, and purchasing of illegal contraband.
Intelligence agencies and law enforcement agencies must leverage the terror groups’ increasing
dependence on technology to monitor their activities. In a 2010 Congressional hearing, the
executive director of the American Civil Liberties Union (ACLU) endorsed the government’s
exploitation of the Internet stating, “we can and should be using terrorists’ online
communications to learn as much as is lawfully possible about those who should do us harm and
their activities and motives” (Neumann, 2013, p. 449).
This approach has three primary components: overt / open source surveillance, covert
monitoring, and public-private partnerships. Overt surveillance requires government officials to
monitor the Internet based on public source documents and all open platforms of social media.
Valuable intelligence gathering and vital investigative information comes in the form of public
records.
Second, covert surveillance and monitoring through undercover identities and
confidential informants is also integral to combating the spread of extremist propaganda. Law
enforcement officers can acquire fictional identities online to protect themselves and infiltrate
certain websites, chat rooms, or blogs to gather information for investigative purposes. This
information can be aggregated, assessed, tracked, and followed-up on when appropriate.
Third, large companies such as Facebook, Twitter, and Google, which all store massive
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 100
amounts of detailed information and track users’ behavior, can be valuable resources during
investigations. Lawfully issued search warrants can be an important part of an investigation and
those companies are required to cooperate. However, from a long-term strategic perspective, the
more valuable dynamic is the behind-the-scenes rapport and ongoing positive relationship
between government officials and corporate security leadership of all types of organizations.
Public, private, nonprofit, and charitable organizations can each play an important role by
regularly gathering potentially helpful information and providing it to law enforcement.
Enhancing public-private partnerships to build trust between police and large corporations. This
would in turn allow for investigations to be collaborative. The disclosure of information for an
investigation is essential for anti-terror efforts. Finally, the understanding of how sophisticated
data mining techniques can be leveraged counter radicalization will be critical as well. Data
mining techniques are algorithms which strategically sort massive layers of content traveling
though the networks of the Internet so that intelligence agencies can follow-up on people of
concern. Their efforts can be targeted and specific based on credible intelligence.
Conclusion
The U.S. and its allies will grapple with terrorism for years to come. Online
radicalization will continue to be an essential part of extremist recruiting and messaging.
Extremist groups have borrowed established marketing techniques as part of their recruitment
efforts and use them very effectively (Powers, 2014; Bowman-Grieve, 2013). As extremist
groups become more adept at using the online environment to enhance their positions and
influence more people worldwide, counter efforts must be deliberate and strategic.
The Internet will remain a prominent fixture in the recruitment and radicalization of the
young and vulnerable both in the United States and worldwide. The efforts by terrorists and
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 101
extremist groups will undoubtedly evolve and adapt over time since their objectives are being
met. There are three essential recommendations that policymakers should consider to reduce the
supply of online rhetoric and more importantly, reduce the demand. Greenberg (2016) provides
three main strategies:
Reduce the Supply. Online intervention is the first important initiative. Law
enforcement should partner with Internet service providers (ISP) to identify propaganda
and extremist recruiting websites. There are limitations to this recommendation. The
unregulated nature and scale of the Internet make the discovery of these websites
challenging. For example, when one website is taken down by an ISP, another is
launched. Even so, efforts to curtail these recruiting efforts by reducing the supply is a
worthwhile effort.
Reduce the Demand. As effectively as terror groups have leveraged the Internet to
reach vulnerable young people around the world in hopes of converting them to freedom
fighters, efforts to reduce the demand through community engagement is the second
recommendation. Community engagement can take on two primary forms, online and in-
person. Online efforts use social media to promote positive community involvement,
encourage diversity and understanding, and seek to drive enthusiasm around peaceful
movements and causes. Direct engagement is best accomplished through the use of local
community leaders at the grass-roots level. Examples might include churches, clubs,
charities, and foundations that work closely to promote tolerance, open discourse, and
group engagement.
Countermessaging. In 2011, the White House announced a counter-radicalization
strategy to address the increasing number of cases in which terrorist groups were
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 102
recruiting US citizens (Greenberg, 2016). Their efforts focus around online messaging
which emphasized the realities of ISIS and al-Qaeda’s global activities. Some of the
messaging included debunking ISIS claims, highlighting their history of violence, and
illuminating the realities of terrorism. Both the message and the messenger matter.
Spokespeople should include community leaders, Muslim immigrants, and reformed ISIS
sympathizers, not only government officials and police.
Decisive legal actions which include the take-down of threatening language, the issuance of
search warrants when required, and the aggressive prosecution of criminals, are all essential
pieces to a tactical plan. However, to achieve a true tactical advantage against such a formidable
enemy, the exploitation of emerging technology—some of the identical tools being used against
us—are at the core of an effective campaign to counter violent extremism and terrorism. The
exploitation of technology coupled with community outreach and support programs, both
domestic and abroad, provides the best chances to combat radicalization and potential future
terror attacks.
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 103
Chapter 7 – Cyber Threats in the Information Age
Advancements in technology have created new threats to end users by inextricably
linking computer networks and society. A dilemma has emerged in which progress enabled by
technology is simultaneously making computer systems less safe. Cyber-threats highlight this
concern and underscore the inherent vulnerabilities of technology dependence. Throughout this
chapter (and in research), numerous terms which utilize the prefix “cyber” are referenced. Some
of these examples are cyber-space, cyber-attack, cyber-threat, cyber-terrorism, or cyber-
espionage. “Cyberterrorism refers to premeditated, politically motivated attacks by subnational
groups or clandestine agents against information, computer systems, computer programs, and
data that result in violence against noncombatant targets” (Warf, 2016, pg. 144). For the
purposes of this discussion, the term cyber-threats will be primarily used. Cyber-threats are
those threats and risks which focus on the use of the Internet, interconnected computer networks,
electronic modes of communication, and industrial control systems. Of the various options, it
provides the broadest definition to cover the range of topics covered below.
Critical infrastructure systems of key sectors run exclusively on networks. Air traffic
control, global positioning satellites, dams and levees, nuclear power plants, and chemical
factories all depend on highly specialized computer networks for daily operations. Their
performance, efficiency, and self-auditing capabilities require technology-based applications.
This critical dependency leaves operations vulnerable to failure, either accidental or malicious.
“In an era of globalization in which people around the world are increasingly interconnected via
transportation and communication infrastructures, the network is both a material and a
metaphorical reality” (Jagoda, 2012, pg. 22). Rapidly-advancing technology, as it is released to
the market, will create new opportunities for those wishing to commit malicious acts using
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 104
cyber-threats.
The U.S. federal government reported a 78% increase of hacking incidents from 2013 to
2014 (Sullivan, 2016). Banking and finance, telecommunications, and utilities are sectors that
present appealing targets for rogue hackers or terror groups focused on disrupting continuity and
operations. Catastrophic economic disruption might be a more powerful tool of terrorists today
than traditional methods of bombings and other violent attacks. Adversaries are writing
disabling software code, hacking into military computers, and compromising classified
information. As their tradecraft improves and new technology offers new tools to commit harm,
the need for new policy will be enormous. This discussion will underscore the urgent need to
create practical and effective security policy consistent with the stream of contemporary threats.
The security risks have national and international implications (Ciolan, 2014).
Background
Technology-dependent infrastructure provides an attractive target for adversaries and
provides a reliable medium for new criminal activities. The mostly unregulated and
decentralized nature of the Internet intensifies this threat. Malicious actors use this to their
advantage. Terrorists can remain largely anonymous, work remotely, and elude capture. They
are able to remain out of the traditional battlefield but still positioned in a way to create harm.
“Even though cyber-attacks do not have the dramatic image of an exploding bomb or a plane
crashing into a building, they can seriously damage the government services, decrease people’s
trust in financial transactions, jeopardize business activity or break down the electronic
communication system” (Ciolan, 2014, pg. 121).
In 2014, the Sony Pictures Entertainment global network was, according to multiple
sources, breached by North Korea (Sullivan, 2016), derailing a movie release, causing global
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 105
business disruption, and amassing an estimated $42 million in financial loss (Spilman, 2016).
Movie scripts, internal email communications, and proprietary information was released over the
following months. The investigation by the FBI lasted for over a year. “The intrusion may have
begun more than a year before it was discovered in November 2014” (Sullivan, 2016, pg. 2).
While the Sony attack, now three years old, is among the most publicized examples of
how complex these threats are, government officials ominously expect more of these types of
attacks in the future. These threats are complex because they often involve transnational players,
they can be difficult to prosecute, and the network breach often occurred long before the victim
became aware of it. America’s potential challengers continue to strengthen their cyber warfare
capabilities. “China has developed official military doctrine for cyber warfare, trained large
numbers of military officers to conduct offensive operations on the Internet, and conducted an
extensive series of exercises and simulations” (Breen & Geltzer, 2011, pg. 48).
In discussing cyber-threats, it is helpful to summarize the different types of attacks, as
categorized by Luiijf (2014). There are four categories: a) traditional crime as it relates the use
of technology such as forgery and fraud, b) illegal content such as pirated movies and music that
is reproduced and distributed, c) crimes associated with electronic networks such as hacking and
denial-of-service attacks (a deliberate attack to cause business disruption by overwhelming the
network with rogue online traffic), and d) cyber-crimes, unique to cyberspace which aim to take
down power systems, critical infrastructure, and computer networks. This chapter will focus
exclusively on attacks on electronic networks.
Characteristics of the Internet
Globalization continues to create borderless networks for communication and business.
But at the same time, risks and vulnerabilities become more pronounced. “As technology
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 106
advances, so do the potential threats” (Sewell, 2004, pg. 42). The Internet has a profile and
certain attributes that allow it to be exploited by terror groups or political adversaries. It is
important to highlight three characteristics of the Internet that make it particularly attractive for
ill-intentioned groups. These are anonymity, low barriers to entry, and sporadic regulation. As
part of this discussion, it is important to highlight them.
1. Anonymity: Attackers can breach networks and hack into computer systems without
detection. Readily available software and hardware tools allow these rogue activities
to remain largely untraceable. Determining the point of origin of these attacks can be
difficult. Breen and Geltzer (2014, pg. 48) noted, “The decentralized and byzantine
structure of the Internet itself intensifies this threat, in that it is increasingly possible
for state and non-state actors alike to develop and employ cyber-warfare capabilities
anonymously or through potentially oblivious proxies, making deterrence a difficult
proposition.” The war context provides a compelling illustration of this challenge:
“Unlike a missile launch that has a discrete signature and geographic location, those
that employ cyber tactics can easily hide their origin which makes attribution
extremely difficult” (Reveron, 2012, pg. 10).
2. Low Barriers to Entry: There are no obvious superpowers of cyber-threats because
bad actors are diverse and the required technology is widely available. These attacks
might come from a highly coordinated effort by a nation-state, a small overseas terror
group, or a disgruntled employee acting alone. The minimum tools required to carry
out an attack are a computer, an Internet connection, and a technological know-how
of computers. Due to these low barriers to entry, the use of the Internet for a base of
operations is relatively cheap and easy. As the Internet bandwidth grows and its
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 107
global accessibility expands, the barriers to entry will continue to decline. With this
transition comes an increasingly concerning risk exposure. As Heickero stated,
“Since the Internet is not regulated and it is possible to spread information at a low
cost, even small groups of players can gain a lot of attention” (2014, pg. 558).
3. Uncertain Rules and Limited Regulation: The Internet has advanced greatly but with
sporadic strategic oversight. It has become ubiquitous and decentralized. The status
of rules, regulations, and compliance remains firmly entrenched in uncertainty.
Cultural barriers, geographic diversity, and rapid growth compound this challenge.
Efforts by policy stakeholders around the world are not always coordinated and
consistent. For example, certain countries restrict and control Internet usage within
their borders. Others believe in an open platform with few barriers or controls.
Legislative efforts to regulate or control the Internet may vary greatly with legislative
efforts in China. Weimann (2008, pg. 70) noted, “This is a decentralized medium, it
cannot be subjected to control or restriction, it is not censored, and it allows access to
anyone who wants it.” The nebulous future of the Internet from a regulatory
perspective will continue to benefit adversarial nation-states or terrorist groups.
Network Attacks
This section explores how our dependence on computer networks for business,
communication, utilities, and much more will present complicated challenges in the near term.
Over the past few decades, information and communication technologies (ICT) have gone
through various innovation cycles. As new products emerge, organizations implement them.
Some of these applications improve speed. Others improve efficiency. There is a categorical
business demand for improved systems and new technology. However, the use of the Internet,
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 108
the interconnectedness of systems, and a web of highly dependent networks around the globe has
opened up opportunities for asymmetric warfare on the battlefield, cyber-threats, and cyber-
terrorism.
Emerging technology is driving worldwide progress and economic growth. It is at the
forefront of business research and development. Large corporations depend on technological
integration for global business operations like email, online content delivery, supply chain
integration, and logistics. Furthermore, the provision of essential government services is
dependent on systems that are linked to the Internet. Connectivity creates access. Access
improves efficiency and allows for global growth opportunities. The networks are potential
targets of continued attacks.
These developments are outpacing policy. ICT continues to expand at a pace which
prevents researchers and developers from adequately assessing security and risks associated with
that growth (Luiijf, 2014). Efficiency and innovation are the core objectives so security
vulnerabilities are rarely anticipated appropriately and sometimes overlooked completely. The
overwhelming pressure to bring innovation to the market can overshadow the concern of security
risks. As electronic networks grow in size and complexity so does the risk exposure.
Adversaries of all types recognize this vulnerability and see the relative ease of carrying out
attacks. “Due to the fact that more and more systems are interconnected and dependent on
computer networks, new vulnerabilities appear that can be exploited by ill-intentioned
individuals and groups” (Heickero, 2014, pg. 555).
Large corporations are not the only organizations highly dependent on networked
systems. Governments are increasingly dependent on technology to provide essential public
services. ICT has become an integral part of networks including public utilities such as power,
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 109
gas, and water. These networks create efficient and reliable automation. “ICT found its way in
the automation of physical and real-world processes such as in the chemical industry, switching
of rail points, and the control of power and water grids” (Luiijf, 2014, pg. 23). This advanced
level of integration and automation utilizes an operating platform called SCADA (supervisory
control and data acquisition). SCADA systems allow for highly sophisticated methods of service
delivery. Many of these systems are dynamic and provide uninterrupted auditing through
elaborate monitoring capabilities. This allows for the interrupted assessment of wide geographic
regions and provides a data feedback loop so adjustments can be made in real time. Some
examples of systems that use this platform are dams, gas pipelines, electrical grids, and sewage
treatment facilities. Examples of the adjustments that might be made to the systems could be
related to environmental (earthquake, flood, wind, rain) or social factors (power demands during
the summer, water conservation during a drought, or adjusting water levels based on recreational
needs of users).
Critical and essential infrastructure delivering power, water, and gas are all closely
intertwined with SCADA systems. Although these systems and the capability to remotely
oversee them to leverage automation and speed are not new, the risks associated with them have
become a bigger concern due to technological advancements. A successful attack on the public
utilities infrastructure could raise widespread fear, impact safety, and cause a significant
financial impact on the economy. Those impacts align closely with the objectives of many
overseas terror organizations. An attack to the SCADA system that controls and manages
critical infrastructure may have been unthinkable in the past, but with current technological
developments, it is now possible for the SCADA system to become a target for terrorists (Ahmad
& Yunos, 2012; Halopeau, 2014; Pedersen, 2014; Heickero, 2014; Reveron, 2012).
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 110
Threats Due to Interconnectedness. The interconnectedness of systems and technology
creates security challenges within the essential infrastructure of critical sectors. As ICT becomes
more critical to innovation and progress, there are numerous examples of key emerging threats.
Emerging threats in different arenas are summarized by Luiijf (2014, pp. 24-28):
Modern Living. Digital TVs are now connected to home networks and to the Internet.
As these devices gain popularity and market share, so will the risk profile for hacking into these
and other connected devices to something called botnets (a type of computer breach discussed in
greater detail later in this chapter) within networks. Additionally, home robots such as
innovative thermostats that synchronize with in-home Wi-Fi networks and can then be accessed
remotely, pose new risks that are not fully vetted by programmers yet. The strategic linking of
home appliances and devices with networks for convenience is referred to as the Internet of
Things (IoT). As people’s homes become more reliant on networks and web-based applications,
the more vulnerable they are to hacking.
Health / Medical Sector. ICT-based systems are now used to monitor individual health
metrics such as insulin pumps and pacemakers. They could be hacked through their wireless
interface. Consider the possibility of an attack on hospital networks strategically timed during a
major incident or crisis. For example, disabling or destroying the medical records database
immediately following the Boston Marathon Bombings of 2013 would have been devastating to
the 264 patients who were being treated. In this attack, many of those patients had moderate or
major injuries and a disruption of any type, whether accidental or malicious, could have cost
lives.
Financial Markets. Near-field-communication (NFC) chips are the new innovative way
to execute a financial transaction by the holder of a smart phone. This technology allows for a
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 111
multi-layer authentication process using one’s cellular phone or computer tablet. This type of
interface incorporates financial and personal data. It also has the potential to be hacked and
remotely controlled by attackers. Sensitive personal and financial data could be accessed and
misused.
Transportation Industry. Planes, trains, and automobiles are now powered and
controlled by computers. These devices aid in the overall operations, monitor and report on
general conditions and status of equipment, and capture essential data after an accident or crash.
This level of automation provides a superior level of control and management while
simultaneously creating security vulnerabilities. A terror group could bring down a plane or take
control of a vehicle to cause it to drive into a crowded pedestrian area. The increasing use of
semi-autonomous vehicles coupled with the increasing demand on interconnected networks
create more opportunities for the attackers.
Utilities Sector. Smart meters linked to public utilities such as power, water, and gas are
becoming more common. These allow end users to modify their usage to save money, sell
power back to the grid, and so on. Smart meters create a pathway between home networks and
public utility networks which did not previously exist. As a result, an attacker could spread a
virus to a larger number of victims with less work due to the increased interdependence.
However, the platform simultaneously opens up a key risk for hackers or terrorists to disrupt or
shut down public utilities. A widespread attack could have dire health and safety consequences.
Case Study: Asymmetric Cyber-Warfare in the Military
Various strategies deployed within a military operation mirror this technology dilemma.
Although U.S. defense policy is not an essential topic of this chapter or project overall, indeed it
provides a relevant and appropriate overlay for our discussion about cyber-threats. Evolving
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 112
military tactics based on emerging technology provide a case study. For example, as a military
power becomes more advanced, nimble, and data-driven in its efforts, it frequently utilizes
technology to its advantage. It might have large numbers of missile launchers or unmanned
drones remotely deployed using linked computer networks. The resulting challenge occurs when
the dependence on computer systems opens new areas of vulnerability. If the network is
inoperable, the missile launchers or drones cannot be deployed.
An often used term in military strategy is asymmetric warfare. Asymmetric warfare is
the ability for one side to turn the opposition’s strength and power into a weakness. The core
objective is to exploit the weaknesses of the opponent through unusual or unconventional
methods. For example, if a clearly under-matched extremist group can completely disable the
computer network of a powerful opponent, it can mitigate its size disadvantage. Traditional
research about defense policies during wartime generally associated asymmetric strategies with
the tactics of the weak and the small since they had fewer traditional resources. Essentially, the
over-dependence on technology (by the superpower) creates new risk which can be exploited by
its opponent.
In the decade following 9/11, the term ‘asymmetric warfare’ became more widely used
(Breen & Geltzer, 2011). The exploitation of emerging technology for asymmetric tactics will
continue to grow and expand. The Internet provides an essential medium for such efforts. The
interconnected networks provide a valuable tool when leveraged against the opponent. The use
of the Internet for battle coordination, intelligence gathering and analysis, disruption of aviation
or maritime coordination, or the spreading of anti-American propaganda all leverage technology.
The use of advanced technology can offset classic advantages such as more troops and stronger
ground assets (e.g., tanks, missile launchers). As a result, superior technology used by terrorists
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 113
can serve as the great equalizer in war time conflict since it shrinks the advantage of
superpowers. The effectiveness of cyber-threats underscores this tactic by transforming an
apparent American strength—the technologically advanced, elaborate synchronization of
efforts—into a weakness (Breen & Geltzer, 2011; Weimann, 2008). An asymmetric strategy
allows smaller, traditionally less powerful groups to garner more power. The attack on 9/11
itself highlights this and provides the most compelling example of asymmetric strategy in recent
times. “America’s global economy, relatively porous borders, open source intelligence and
information, and inadequate law enforcement resources allow access to a range of goods,
services, and information that together can be developed into formidable weapons” (Breen &
Geltzer, 2011, pg. 43). New technology has created a paradigm shift in that asymmetric tactics
could be used by any group in any category.
Common Cyber-Attacks
Cyber-space allows for wide access and ease of entry for a diversity of users. This
platform provides expansive opportunity for economic growth. Research and development
efforts use the Internet as an essential tool for innovation. At the same time, rogue individuals,
extremist groups, terrorist organizations, and some governments use cyber-space to advance
malicious interests (Reveron, 2012). The interconnectedness of business and society has created
an environment in which computers can be used as tools for both destruction and disruption.
There are six primary cyber- threats which are an important part of this discussion: zombies,
botnets, Trojan horses, logic bombs, viruses, and worms. These threats are sometimes referred
to as malware. It is important to define these as an essential component of our discussion.
Zombie. A zombie is a computer that has been covertly compromised to allow a third
party to take control of it (Reveron, 2012). Once the machine has been compromised, it can be
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 114
used individually or collectively with other computers to acquire unauthorized information and
track the behaviors of authorized users.
Botnet. A botnet is a group of zombie computers. The collective impact of a large
number of zombie machines can be devastating to networks and system infrastructure. A botnet
is most often employed by hackers for scaled coordinated attacks which cause network
disruption by overwhelming the infrastructure which prevents legitimate operations from
occurring. This results in what is called a denial of service (DoS) attack. Consider how
impactful a botnet could be when utilized in a coordinated effort to disable public utility systems.
If orchestrated successfully, a large metropolitan city or an entire region of the country could be
essentially shut down from a computer keystroke. This type of attack would have powerful
social and economic consequences.
Trojan Horse. A Trojan horse is an unauthorized program which gains access to a
computer via another, legitimate application. Frequently, Trojan horses are embedded within
commonly used software or can be covertly inserted into a YouTube video download or image
file. The user downloads the intended file without realizing that the stealthy code is secretly
embedded. In most cases, the actual software or downloaded image performs as expected so the
incident can happen undetected. Once the Trojan horse is successfully embedded within a
system, it can send out messages to a third party, track username and password keystrokes, and
allow for the transmission of confidential data back to the attacker. Because the intrusion often
happens long before the victim becomes aware, these types of attacks can be very effective at
acquiring private information. Furthermore, since the downloading of videos and images online
is an everyday occurrence, these attacks are becoming more common.
Logic Bomb. A logic bomb is a camouflaged segment of a program which creates a
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 115
trigger condition based on certain pre-set parameters (Reveron, 2012). Logic bombs might be
used by an insider who programs certain actions to occur when defined conditions are met. For
example, a programmer could set a code within the internal corporate network that would cause
the important data to be immediately hidden or deleted if he were ever terminated and his name
removed from the active directory employee database. As a method of cyber-terrorism, logic
bombs could be deployed by adversaries against the United States. The U.S. is very vulnerable
to this type of attack because its infrastructure is so dependent on computer networks for
essential public services and infrastructure (Bist, 2014).
Virus. A virus is malicious code that can self-replicate and cause damage to the systems
that it infects. Viruses have been particular damaging because of the speed at which they can
spread from machine to machine within a larger network. Once the virus has spread to a system,
it can delete information, modify files and internal configurations, and run undesirable programs.
A virus differs from a logic bomb because it replicates and infiltrates the network somewhat
arbitrarily instead of being dependent on a triggering event.
Worm. A worm has similar capabilities to a virus but it is unique in that it can replicate
and spread without infecting other operating system files. The worm is specifically designed to
spread in ways that leave existing operating systems operational. In contrast with a virus, the
operating system can continue to function as intended so it can remain in place undetected for an
extended period of time. It can replicate and spread through the use of the Internet or within an
individual network. Worms can take over entire systems quickly and without detection, and they
are difficult to track back to their point of origin (Pratama & Rafrastara, 2012). Ultimately a
worm causes disruption and damage to important system files.
Each of the cyber-threats defined above will continue to create risk within networks. As
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 116
networks grow in scale and complexity, this type of malware attack can have a destructive
impact. Specific examples of how these types of threats can be carried out in malicious ways are
covered in the next two sections.
Case Study: Attacks on the Supply Chain Process
Essential business processes utilize new technology. The supply chain’s interconnected
logistics all depend on IT systems for coordination, shipping, tracking, and delivery. New
technology has provided an efficient network to execute the sophisticated global delivery of
goods. These technological advancements provide untold growth opportunities and business
efficiencies. Products can be tracked in real-time and deliveries can be easily adjusted remotely
with the simple stroke of a keyboard. However, these logistics systems can be attacked. “Given
the reliance on vendors that run systems for companies, businesses should review third parties
that operate or have access to critical IT systems” (Keegan, 2002, pg. 37).
To illustrate how vulnerable IT systems can be to malicious attacks, the following
scenarios provide hypothetical examples of how technology can be exploited and what harm can
occur as a result. Urciuoli et al. (2013) summarize three scenarios which exploit supply chain
and logistics networks for malicious reasons (pg. 62-63). They are weapons trafficking in
maritime containers, pharmaceutical sabotage, and cargo theft.
Scenario 1: Weapon Trafficking in Maritime Containers. Firearm trafficking is
nothing new. It is the illegal sale and distribution of weapons across national borders. This type
of criminal activity is usually the work of transnational criminals, terror groups, or drug cartels.
The primary objective is to acquire prohibited weapons, purchase black market guns at a
discounted rate, and elude detection by authorities. These groups take extreme measures to
ensure that their purchases cannot be tracked or traced. In using technology to their advantage,
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 117
they can hack into an authorized distributor’s logistics software and create false shipping
receipts, acquire clearance, or be granted forged inspection approvals. This tactic could go
undetected for extended periods of time, leverage legitimate shipping channels, and exploit the
existing supply chain network to their advantage before the victim realizes that their network has
been compromised.
Scenario 2: Pharmaceutical Sabotage. The formulas and ingredients the
pharmaceutical companies use to create drugs are coveted intellectual property. These
companies take exhaustive measures to protect it. Using a Trojan horse and acquiring data over
the course of months or even years, the medicine formulas, shipping schedules, third-party
provider lists, and press releases could all be utilized in a malicious way. The attackers could
take control of the production process with the intent to sabotage the company. For example, the
hackers could partner with a terror group to create a fatal combination of medical ingredients
causing fear, panic, business disruption, damage to the brand, and even death. An adversarial
pharmaceutical competitor might simply want to increase their market share or cause bad
publicity by manipulating schedules or disrupting businesses processes. Terror groups’ motives
might be more sinister. Even if the plot was uncovered, the damage could be irreversible.
Moreover, tracking the scheme, investigating what occurred, and identifying the culprits could
take a long time.
Scenario 3: Cargo Theft. Cargo theft is a relatively common occurrence today. Thieves
can take advantage of inadequate security measures, outdated tracking processes, and loosely
enforced customs procedures (customs processes can vary country-to-country). Hackers can
acquire back door access via a zombie computer or a Trojan horse to capture shipping schedules,
arrival times, bills of lading (documents which detail shipping of merchandise), and employee
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 118
data. The bill of lading (either authorized or fraudulent) could be deleted and the associated
shipment stolen thereby eliminating the tracking records. This reduces the chances of anyone
noticing the omission, creates post-incident forensic challenges, and diminishes the chance of
prosecution. By the time the company has detected the missing shipment, the product is gone.
The examples above are intended to be illustrative and aim to create a deeper
understanding and awareness of new risks. As computer technology and network
interconnectedness create an innovative web of information access, the resulting risks will
continue to raise concerns. U.S. companies face a range of threats caused by vulnerabilities of
supply chain networks, logistics systems, and foreign contractors (Sewell, 2004).
Notwithstanding the hypothetical examples above, it is essential to also review and assess some
recent examples where cyber-terror was either the cause or strongly suspected.
Notable Technology Based Incidents
As discussed earlier in this chapter, the Internet provides an attractive layer of anonymity
for users. The strong dependence on technology for business operations and public utilities
infrastructure creates security policy challenges with long-term implications. Adversaries will
continue to pursue gaps and vulnerabilities in these networks. There are recent examples of
reported cyber-attacks carried out by individuals, nation states, and extremist groups. There are
many more examples that could be portrayed here but the following three are particularly notable
for the purposes of highlighting key themes discussed in this project.
Spanair’s Plane Crash. A plane crash in Spain that killed 154 passengers and crew in
2008 at Madrid-Barajas airport was traced back to the airline’s central computer which was
found to be infected by malware (Heickero, 2014). Just prior to the crash, multiple emergency
alerts were sent from the plane to the control tower. Due to the computer virus, those alerts
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 119
never reached authorities on the ground and no alarms were sounded as intended. Others have
cited such concerns: “Terrorists and criminals could take control of computer systems in a Trojan
horse attack and thereafter shut down security systems or disrupt critical logistics services, such
as an air traffic control system” (Urciuoli, 2013, pg. 61). Malware is strongly suspected to have
played a role in other plane crashes in recent years, despite the absence of indisputable evidence
(Fox, 2016). For example, the cause of the Malaysian Air Flight 370 crash in March 2014
remains a mystery. In December 2016, the investigation was closed. The plane was never
recovered.
The Spanair crash investigation findings were ultimately classified as inconclusive and
there was no proof that it was deliberately caused by terrorists (Heickero, 2014). However, this
tragedy underscores the essential dependence on technology of our utilities, transportation,
energy, and communication infrastructure. Whether the network outage that contributed to the
tragedy was accidental, careless, or malicious, it underscores the vulnerability. Accordingly, that
potential over-dependence on networks can lead to dire consequences as it relates to safety and
security.
Stuxnet Computer Worm. The Stuxnet worm in 2010 was the first worm specifically
designed to attack essential infrastructure and industrial control systems (Menn & Watkins,
2010; Reveron, 2012). A 2012 article indicated that the United States, with Israel’s support, was
involved in the creation of Stuxnet to disrupt Iran’s nuclear program (Roscini, 2015).
Independent of the source, this worm caused great concern among industry experts for a variety
of reasons. First, it underscored the vulnerabilities of our essential infrastructure and raised fears
of similar attacks in the future. With the strong dependence on software-based industrial control
systems for key services, it is difficult to protect all of the assets with a high degree of assurance.
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 120
Second, the Stuxnet worm, with its highly sophisticated method of attack, showed officials that
attackers have progressed in their efforts. The tactics employed by those wishing to do harm will
pose long-term challenges and will dictate the need for our protective measures to keep pace.
Thoughtful security policy will be vital. Third, difficulties remain in combating this threat due to
poor communication between computer experts and government officials (Menn & Watkins,
2010). Fourth, this type of worm creates increasing risk of an accident at a key infrastructure site
such as a nuclear power plants. Public-private collaboration is an essential initiative going
forward (this is covered in Chapter 9). The future of core infrastructure will increasingly
leverage the Internet for efficiency, thereby perpetuating these challenges.
Russian Invasion of Georgia. Before invading Georgia in 2008, Russia executed a
sophisticated and unprecedented cyber-attack on its enemy. Their objective was to defeat control
systems and gain an advantage on the ground during battle. While the impact of their action had
limited effectiveness in the end, it immediately changed the way that battles are won and lost
(Reveron, 2012). It blurred the line between the physical and the virtual boundaries and
underscored asymmetric strategies that could be levied against enemies. In the future, such
attacks if orchestrated effectively could cripple military powers by creating outages impacting
essential networks. The full impacts of Russia’s action remain unclear, but it highlights
nonetheless how technology can be used in ways not previously considered.
Conclusion
New technology has created a new set of risks. Cyber-threats are among the most
concerning of these risks because of a porous technology infrastructure and an uncertain future.
Harnessing technology for advancement and growth has been a key theme of the past two
centuries. Networked systems and integrated software applications allow for mechanized
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 121
production to operate at the highest levels of efficiency. Technology allows for the highest
levels of optimization. However, this technological advancement has somewhat unwittingly
provided opportunities for rogue individuals, criminals, terror groups, and nation states to carry
out malicious actions.
Our dependence on network architecture for government services, fundamental
infrastructure, and organizational operations will continue to expand. The societal benefits of
such growth and dependence will be notable. In order to keep computer systems secure, protect
our content, and sustain a stable infrastructure, there are three essential recommendations. They
apply to security practitioners and policymakers:
Strengthen government network infrastructure. Public utilities and core community
services depend on networked systems for automation, monitoring, and trouble-shooting.
Whether it is the result of a terror attack, an accident, or mechanical failure, the
infrastructure can be vulnerable to failure or disruption. These networks enable essential
public services and support key infrastructure such as agricultural, electrical, nuclear,
aviation, and so on. Improving these systems through regular maintenance and
replacement programs is an important step for mitigating risks. In order for these efforts
to be effective in preventing attacks or disruptions, they must be proactive.
Increase public—private working groups. The private sector manages, oversees, or
secures many of the US Government’s critical infrastructure sectors. As a result, the
close coordination between the two groups is essential for preparation and planning.
Both sides need to embrace that coalition and look for opportunities to build alliances,
share information, and create mutually beneficial solutions toward risk mitigation.
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 122
Create IT recovery plans. Our key industries and nearly all organizations are critically
dependent on networks for daily operations. Most of the recent literature surrounding IT
security indicate that cyber-attacks will ultimately impact all organizations in some
capacity. If organizations of all types –private or public, small or large, profit or
nonprofit—acknowledge that they will be the target of a cyber-attack in some form, their
efforts cannot focus only on prevention but also on recovery and resumption.
New technology is advancing while simultaneously creating grave risk exposure. Most
importantly and more concerning is that the strategy to combat cyber-threats requires a
participative and collaborative structure among all stakeholders such as private industry,
government, non-profit, and academic institutions. Without everyone working together,
solutions will be fleeting.
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 123
Chapter 8 - Unmanned Aerial Vehicles
Emerging technology has created interesting and simultaneously complicated security
policy concerns. Drones, like the Internet and ubiquitous digitization, are yet another illustration
of how the rapid growth of technology has outpaced the legal and regulatory setting. This frantic
pace creates new and unique risks and safety concerns. Unmanned aerial vehicles (UAVs),
commonly referred to as drones, have become more popular in recent years. The term ‘drone’
refers to airborne devices that are controlled remotely by computer systems and operators on the
ground (Salter, 2014). In their earliest application, drones were used in overseas military
operations. For military tactics, they provide many advantages over manned aircraft for both
passive surveillance as well as active strikes on adversaries.
They are no longer an exclusive tool of defense firms and the U.S. military. New
technological advancements brought production costs down dramatically, offering expanded
access to a much wider group of people. Wider appeal then illuminated new use cases that did
not previously exist. Additionally, the use of drones has become more popular with weekend
hobbyists and photography companies. Hobbyists use them for entertainment in the same way
remote-controlled cars are used. Photographers utilize them for panoramic views of cityscape in
ways not possible with traditional cameras. The list of applications and uses is discussed later in
the chapter.
Drones have arrived as a mainstream tool with broader appeal. The risks associated with
that growth have not been addressed. As they become more common, the safety of such devices
will be called into question. “This boon in drone research, purchasing, and deployment far
outpaces the incipient initiatives to enact rules and laws to regulate this new technology” (Barry,
2013, pg. 65). This chapter will contextualize how drones fit into a broader concern among
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 124
security leaders on how to address new risks as technology continues to advance. Policy leaders
are simply not equipped to manage these new risks because the growth is organic, rapid, and
global.
Background
The proliferation of drones, both overseas and domestically, has been substantial (there
are some 300 types now) and remarkable (Barry, 2014; Kaag & Kreps, 2013; Vogel, 2013).
There has been a 1,200-percent increase in combat air patrols by drones since 2005 (Dowd,
2013, pg. 7). As drones become more widely used and the demand for them increases, the
associated societal impact creates unique challenges. In addition to the aforementioned military
organizations and defense contractors, now mainstream media, municipal police departments,
large sporting arenas, and professional photographers all see drones as a valuable tool. Policy
for the use of drones –including altitude restrictions, safety concerns related to collisions with
other aircraft or people on the ground, and privacy– has yet to be fully contemplated. The ethical
and policy terrain of drones creates uncertainty. From a legal and regulatory perspective, they
fall within an ambiguous area of the law.
Technological innovation over the past decade or so has led to an increased use of drones.
From a manufacturing perspective, the power source components are smaller, lighter, and less
expensive. Flight time capabilities and longevity of the battery packs have advanced. The
resulting price reductions have made the products more accessible to a larger number of people.
There are three primary technology-based innovations which created these new opportunities
(Choi-Fitzpatrick, 2014). Those are a) the global shift from analog to digital, b) advancing
digital imaging devices, and c) a transition of the camera street level perspective to an overview
from the air.
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 125
The transition from analog to digital allows the mechanical components of the drone to
be superior in many ways. For example, the digital processors are much faster and smaller,
which allows drones to carry additional assets and expand their capabilities.
At the same time, digital imaging devices have evolved. Cameras are smaller in size,
lighter in weight, and have greatly improved resolution. The availability of commercial grade
pixilation creates privacy concerns since cameras can capture content at greater distances. These
cameras are able to cover a broader area in a shorter period of time. Drones can be outfitted with
wireless routers that can allow the device to transfer data, content, and captured images
seamlessly to operators and systems on the ground. Increased wireless bandwidth technology
allows this process to happen more efficiently.
The third advancement is the fundamental shift from street level views to airborne
capabilities. This innovation is arguably the most disruptive of the three (Choi-Fitzpatrick,
2014). Some of the most memorable photographs were taken at ground level. Inherent practical
limitations made elevated photo-imaging to be expensive. Helicopters are the most common use
example and these were generally limited to government and corporate media organizations. It
was generally cost-prohibitive for an individual or small company to use a traditional helicopter
for photography. With this capability, expanded by drones, the definition of public space
becomes less clear. Suddenly, a rooftop, an outdoor patio, or an upper floor balcony is now
visually accessible. Images can be captured from a drone flying around the outside of a building
and confidential information could be compromised. Large government buildings such as the
Pentagon, the White House, or the FBI Headquarters are the most obvious examples. But many
others have to guard against drones and airborne surveillance in the same ways.
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 126
Advantages of Drones
The use of unmanned aircraft has numerous advantages over the more traditional staffed
option. First, they are cheaper to manufacture but have they substantial payload capabilities. In
the case of military grade drones, their size is comparable to traditional aircraft. Increasing
payload capabilities allows drones to carry more elaborate recording devices, larger surveillance
equipment, and heavier weapons in military applications. Second, they do not risk lives. Third,
an unmanned aircraft is not limited by the sensitivity to G-forces of the human pilot (Phelps,
2012). In contrast, drones used for military applications are able to travel at extremely high
speeds. G-force is a physics-based concept that captures pounds of pressure in relation to
gravity. This places limitations on speed of manned aircraft and the resulting geographic
coverage. Fourth, many of the operational uses that drones provide involve long, laborious,
surveillance missions that are repetitive and mundane. These types of missions are greatly
enhanced by using unmanned alternatives. Without a human pilot, they do not need to land for
basic necessities like food, water, bathrooms, and rest. To illustrate this, consider border
crossing enforcement as an example. The first introduction of drones domestically was
specifically focused on identifying illegal border crossings along the Texas and Mexico line
(Barry, 2013). These missions tend to be long, boring, and tedious for military or law
enforcement personnel since periods of loitering during surveillance efforts are not uncommon,
whereas unmanned options allow for uninterrupted coverage. Fifth, operational costs of drones
are less than manned flights (Heatherly, 2014). They tend to be smaller, lighter, and do not
require refueling as often. Sixth, drones can be difficult for the enemy to detect and very precise
since their target identification is digitally mapped and executed (Vogel, 2013). Dowd (2013)
captured several of the above advantages, stating, “Among the other ‘intrinsic benefits’ of
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 127
drones: they deprive the enemy of human targets; they don’t get tired or thirsty or hungry; they
are relatively inexpensive; and with the coming of nuclear-powered drones, they offer the
possibility of nearly endless above-target operation” (pg. 7). All of these advantages have led to
increased use.
Expanding Use of Drones
Military Use. The previous decade has seen a marked shift in drone use for military
operations. “The decade between 2002 and 2012 saw a remarkable change in killing, from a
time when no one had ever been the subject of a targeted killing by an unmanned flying weapon
system, to one in which several thousand people have been” (Allinson, 2015, p. 113). The first
use of drones was for military tactics in South America and overseas in Pakistan, Somalia, and
Yemen (Barry, 2013). In South America, they were a tool in the war on drugs dating back to the
1980s, though generally they were not used for targeted killings. Their surveillance capabilities
over large regions for interdiction of narcotics trafficking efforts created lower risk tactics since
the aircraft were unmanned. In multiple locations in the Middle East, they became tools for
covert surveillance and powerful airstrikes on enemy soil. As general performance and accuracy
improved, the military’s dependence on them increased.
Over time, their use in clandestine military operations became more widely known and as
a result more controversial. Most of the controversy was associated with strikes by the Central
Intelligence Agency (CIA) on key adversaries on the ground. The increased use of drones raised
questions about transparency and accountability, themes discussed in greater detail later in the
chapter.
Police Use. Initially, only federal law enforcement used drones. They became an
essential tool in the border patrol effort along the southern regions of the U.S., especially along
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 128
the Mexico border. Their operational capabilities for such activities were ideal because of the
need for long missions over expansive regions which would otherwise have limitations inherent
in manned aircraft. The Drug Enforcement Agency (DEA) and the FBI used drones for
surveillance efforts in a variety of applications. Examples include tracking fugitives, patrolling
civil unrest, conducting surveillance for ongoing investigations, and locating unlawful drugs
growing in obscure, mountainous regions.
The use of drones for local law enforcement initiatives has increased. Instead of using it
for specific incidents or projects like their federal counterparts, they would use it for proactive
efforts like daily patrol. Drones provided another resource that proved cost-effective especially
for rural sheriff’s departments whose jurisdictional oversight might be hundreds of square miles
not practical to patrol with traditional methods. Gradually, municipal law enforcement agencies
saw increasing benefits and strategic applications of unmanned aircraft. Some unused military
surplus aircraft were provided to police departments. Domestic law enforcement use of drones
has not come without debate and concern among some groups. The public sentiment was
generally sympathetic to military applications of drones. The costs of war can be high and a
safer, unmanned option carried mainstream support. However, the transition of drones to
domestic law enforcement efforts raised concerns related to privacy and safety (Kaag & Kreps,
2013). “Given the dual association of the drone with war and totalitarianism, it is unsurprising
that the integration of drone technology into internal policing in the United States, Britain and
elsewhere has been greeted by civil libertarians and criminologists with considerable unease”
(Saltar, 2014, pg. 164).
Public and Civilian Use. Within the legal uncertainty and controversy there is a long list
of public and civilian uses of drones. The increasing appeal of drones to various societal
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 129
stakeholders for daily utility of such technology complicates the debate. It is not clear who has
jurisdiction over the public’s use of drones. For example, is it the local police department or the
FAA? Who determines where drones are prohibited such as stadiums, government buildings, or
private property? Innovation and advancing technology represent a paradigm shift for
photographers, citizen journalists, civil libertarians, and hobbyists. As the mainstream use of
drones increases over time, there will be a stronger need to manage the risks associated with that
growth.
The new technology creates opportunities. It is helpful to understand what public
benefits drones provide. The following provides a brief overview of the diversity of such uses,
which helps to clarify what policy implications (covered later in this chapter) should be
considered in the future.
Art. The entertainment industry sees opportunities for improved cinematography using
drones. As a result, they have petitioned the Federal Aviation Administration (FAA) to be
granted conditional use permits for drone use during production. “The entertainment industry
petition joins three others (agriculture, line inspection, and oil and gas) in seeking a waiver for
drone use in narrowly defined, controlled, low-risk situations” (Choi-Fitzpatrick, 2014).
Mapping. The use of electronic maps (e.g., Google maps) has grown dramatically over
the past decade. Drones provide a greatly expanded ability to capture content, update virtual
mapping systems, and provide real-time data feeds over large regions. The application to live
events opens many opportunities for their use. For example, civil unrest (e.g., political protests),
natural disasters (e.g., hurricanes, earthquakes, and floods), government infrastructure
monitoring (e.g., dams and levees) all see potential drone applications by using dynamic
mapping technology with real-time content acquisition.
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 130
Public Safety. Drones could provide support for first responders during a crisis. For
example, they could be helpful during a search-and-rescue mission in mountainous regions,
directional assessments of fast-moving brush fires, or thermal imaging of a police manhunt for a
prison escapee. Consider a mass casualty train crash in which emergency personnel could utilize
video analytics from the air to determine what parts of the train they should deploy to first.
Monitoring Environmental Conditions. Change mapping and environmental monitoring
efforts are often hindered by geographic barriers, the expense of using helicopters, and labor
shortages based on budget restrictions. Drones mitigate many of these hurdles because of their
reduced cost and improved range capabilities. “Unmanned aerial vehicles are increasingly used
in a number of environmental areas, including change mapping (i.e., river erosion, deforestation,
and urban expansion); disaster risk management and mitigation (assessing natural disaster risk
and monitoring fires, volcanoes, and landslides); monitoring illegal activity, including banned
hunting, fishing, and trade; and monitoring other natural factors like migration, levels of
endangered species, and foliation” (Choi-Fitzpatrick, 2014, pg. 24). Other specific use cases are
important to highlight. For example, given the severe drought conditions in California, drones
can be utilized to regularly monitor irrigation systems for damage, malfunctions, and operational
efficiency.
Humanitarian and Development Aid. Recent natural disasters such as earthquakes in
Nepal in 2015, the Philippines in 2013, and Haiti in 2010, all illustrate post-crisis challenges
unique to mass casualty disasters impacting large geographic regions. A common theme in these
three examples is the difficulty in safely delivering emergency
food and water in a timely manner. Payload capabilities of drones have continued to improve so
that delivering large quantities of emergency supplies once thought to be impossible is now a
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 131
common practice. Untold lives can be saved if emergency supplies can be provided more
quickly and efficiently following an event.
Journalism / Media. Drones are becoming more popular with media and in journalism.
They can allow coverage to be more detailed, specific, and timely. A drone provides ways for a
journalist to be much closer to the action while remaining at a safe distance. Social conflicts
such as community protests and anti-police demonstrations could be covered live from a remote
position. Large venue sporting events could benefit from wide panning of the field or court
tracking attendance circulation, seating density, or medical emergencies.
Accountability and Compliance. Drones can be used to conduct ongoing monitoring and
tracking from the air for audits and inspections. For example, recent drone footage of a
meatpacking plant in Texas exposed the illegal dumping of pigs’ blood from a slaughterhouse
into a stream (Choi-Fitzpatrick, 2014). Similarly, drones could monitor water use violations.
Drones can benefit the oil industry as well. Several high profile and expensive oil spills in the
past few decades could have been prevented or at least discovered sooner so that responses could
have been swifter. In addition to detecting illegal water use and unlawful dumping, other
examples include monitoring safety compliance at a nuclear plant, adherence to conditional use
permits for a hazardous materials site, or commercial copper theft from large construction sites.
Security Implications
Privacy, oversight, and safety risks are the three biggest security concerns with drones.
Pilotless aircraft are a perfect example of a case of innovation outpacing policy development.
Drones have been catapulted from science fiction imagery into a collision of ethics, privacy, and
regulatory oversight. They have advantages and disadvantages but where they fit into a broader
legal context remains uncertain. “As of 2014, legislation had been introduced into thirty-six
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 132
states relating to drones, with four states having already passed some form of drone related
legislation” (Heatherly, 2014, pg. 25). Europe and other countries are facing similar policy
questions. “The European Commission has been working on Europe-wide regulation since early
2014, but the actual limits and rules vary from country to country” (Shurer, 2015, pg. 4). The
more widespread use of drones, military and civilian, domestic and overseas, has created
challenging questions related to privacy, oversight, and safety.
Privacy. Privacy is at the core of drone discussions. Questions such as where they can be
used and for what purposes remain unanswered. They have a vast array of applications and the
impact of such expanded use has not been properly assessed. “The primary dangers associated
with these systems are the threats to anonymity, privacy, and freedom from an omnipresent
government” (Heatherly, 2014, pg. 26). Celebrities, politicians, and high profile people can be
viewed from the air. Their actions can be tracked in real-time. Sensitive buildings, essential
governmental infrastructure, and secure locations can be monitored without interruption.
Rapidly-advancing camera technology means that cameras are lighter and less expensive,
possess higher resolution, and have a longer battery life. Elaborate surveillance from a distance
has become a contemporary threat. New methods of corporate espionage by using drones to fly
around buildings or take pictures over a fenced construction project could become contemporary
concerns.
Concerns over data protection and content transfer between devices and remote storage
sites will increase. As drones’ capabilities grow, so will abilities to interfere, interdict, and
unlawfully acquire streaming data. “It seems clear that privacy is undergoing a substantial
overhaul in terms of the level of anonymity that can be reasonably expected in an age of constant
surveillance and ubiquitous digitization” (Choi-Fitzpatrick, 2014, pg. 30). Corporate research
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 133
and development initiatives could be jeopardized by drone aircraft flying nearby. “When it
comes to corporate and industrial espionage, nefarious entities may use drones to capture footage
and recordings, since many UAVs are equipped with high definition cameras, infrared cameras,
or long-range microphones” (Shurer, 2015, pg. 5).
Oversight. For years, drones were created and designed exclusively for military and
national security objectives (Barry, 2013). Their use was limited and covert since they were
projects aimed at classified operations. Since they have now entered the mainstream market, a
gap between regulation and expanded use has become a concern of many. “The gap between
governance and drone proliferation is particularly worrisome in the case of the rapid advance of
unmanned systems at home and abroad, given that drones are primarily used for surveillance and
killings” (Barry, 2013, pg. 66).
There is no international law that regulates or governs drone use. As a result, technology
advances and new products enter the market with no controls, restrictions, or limitations. This
creates opportunities for the manufacturers to develop new models with expanded features. As
technology continues to push forward, concerns remain. “In the United States, the Federal
Aviation Administration was ordered by Congress in 2012 to integrate drones into national
airspace by 2015, however there remains considerable uncertainty over the privacy, social, and
legal implications of drones” (Saltar, 2015, pg. 169). Oversight in other countries varies greatly,
which adds to the complexity since the majority of drone use occurs overseas. The challenge
occurs because it’s not clear what uses and applications of drones are permitted. Currently, the
United States use drones at their own discretion and with little oversight. Use policy and
oversight becomes more challenging when multiple international entities are involved. Europe
and the United Kingdom require licenses and permits while Mexico and Brazil have not
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 134
implemented any restrictions on the use of drones for civilian, commercial, or state purposes
(Saltar, 2015).
Safety. The safety records of drones have been called into question as well. They can
collide with other drones, commercial aircraft, structures, and people on the ground. “Drones are
notoriously difficult to pilot with accident rates estimated to be several times higher than piloted
aircraft” (Saltar, 2014, pg. 170). Safety has been affected by new technology. Aircraft size,
weight, and speed have all increased in recent years. That evolution coupled with increased
military and civilian applications has resulted in more accidents. These failure rates increase
risks to bystanders on the ground. “In 2009, the U.S. Air Force reported that one third of their
Predator drones deployed in Iraq and Afghanistan had crashed” (Saltar, 2014, pg. 170). As
drone use for civilian purposes continues to rise, we are likely to see additional accidents
involving other aircraft and people on the ground.
Consider the military use of drones capturing dynamic information as to where injured
troops need immediate medical attention. Conversely, adversaries might weaponize drones by
hacking into their network and either scrambling the information or redirecting it away from the
intended destination.
The controversy surrounding the increased use of drones can be best addressed through a
multi-tiered strategy which strikes a balance between reasonable use, legitimate application,
safety, and a general cost-benefit analysis. As such, an operational guide based on reasonable
considerations should be thoughtfully crafted to manage these concerns and challenges. The
following section outlines a blend of policy suggestions.
Guidelines for Drone Use
All signs point to the growing popularity of drones for military, police, and civilian use.
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 135
Most expect this growth rate to continue (Barry, 2013; Phelps, 2012). As technology continues
to advance, the size and capabilities of such aircraft will underscore the need to establish policy
and guidelines. Choi-Fitzpatrick (2014) proposed a series of guidelines for the future regulation
of drone use (pg. 28-30), which is summarized below.
Alternatives. The appropriate use of drones should be based on a comprehensive
assessment of needs and objectives. For example, suitable alternatives that could accomplish the
same objective should always be thoughtfully considered. For example, could satellite
technology be used for taking certain images or for regional surveillance? Perhaps stationary
cameras could achieve some of the same results without using an airborne device. The policy
should default to this cost-benefit analysis. The rapid advancement of new technology which
provides new opportunities for drone use should be thoughtfully assessed with regard to
unintended consequences related to privacy and safety. Alternatives should always be
considered.
Physical and Material Security. As governments navigate through legislation and
grapple with the future of drones, the safety of such applications must be paramount in their
discussion. Policy must mitigate risks of aircraft colliding with each other or with people on the
ground. Metrics and safety records should be transparent so that oversight can be statistically
validated.
Public Interest and Accountability. UAVs provide expansive new opportunities for
capturing newsworthy events and incidents as they occur. The application of these aircraft is
seen as an essential tool for investigative journalism and draws from longstanding themes related
to freedom of speech and the free press movement. Real-time monitoring and live broadcasting
of events is viewed by many as a valuable tool for visibility and transparency, and a core
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 136
component of American freedom. These interests should be thoughtfully balanced with
disadvantages.
Privacy (individual and collective). This period of unease and uncertainty is based on
many factors but privacy is among the most powerful concerns. Seeking the balance of using
drones for valuable and enriching activities while simultaneously safeguarding privacy and
protection of civil rights will continue to be an important policy issue. There are existing laws in
many states to protect against loitering and prowling, many of which could be interpreted to
include cameras on drones. They vary state to state, but are generally well-established and
initially created to prohibit people from looking into windows or hiding with the intent to
commit some additional criminal violation. These laws might prove helpful since they could be
enhanced to cover drones more specifically in a legislative manner. Long-term policy efforts
should narrow down specific use provisions and create a more comprehensive approach.
Conclusion
Drones have significant advantages and equally meaningful drawbacks. The full extent
of their impact on contemporary society is not yet known. One thing is unequivocal. UAVs
create challenging policy questions and immediate safety risks. Rapidly growing technology
provides an inviting backdrop to the expansive use of drones –for both military and civilian
use—with an uncertain regulatory or legal structure in place. As a result, technology and growth
will greatly outpace the regulatory environment.
Because the mainstream use of drones is so new, there is not a defined set of standards,
guidelines, and restrictions about their public use. As technology grows, the capabilities of
drones will expand thereby increasing the risks associated with their public use. Military or
government use has protocols already in place, but the public use of drones should be governed
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 137
by the following trifecta: certification, regulation, and enforcement.
Certification. The safety risks of using drones in public space are high. Those who
operate them should be required to pass a written test and a practical exam akin to
acquiring a driver’s license. The certification process would provide the baseline
knowledge required to operate a drone so that general safety standards would be
implemented. Renewal standards should also be implemented.
Assign a regulatory agency. A government body like the FAA should regulate the use
of public drones. This entity would define safety standards and create recurring training
requirements. This approach would directly address concerns surrounding a drone
interfering or colliding with commercial or private aircraft. It might also develop a list of
prohibited use locations such as around government buildings, sports stadiums, and large
format venues due to the safety and security risks associated with such use.
Enforcement. The legal regulations defined by the regulatory body noted above should
be enforced by federal and local police authorities. This recommendation would add
credibility to the safety and security guidelines which govern drone use.
The safety of drones, both in the air and on the ground, must be an area that policymakers
focus on first. The amateurism of some hobbyists will undoubtedly exacerbate this pressing
concern. Privacy, hacking, and data protection of corporate entities, law enforcement
organizations, and military forces overseas have not been thoughtfully assessed. As new
companies form, technology grows, and the regulatory environment chases far behind, we will
continue to see complex challenges for individuals and the collective society.
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 138
Chapter 9 - The Security-Privacy Dilemma
Technology is all encompassing in society and its growth dictates the need for expanding
security policy to more effectively mitigate risks. “The protection of cyberspace and the creation
of an efficient and clear cybersecurity policy are among the most important issues on the national
and international security agendas” (Ciolan, 2014, pg. 120). As computers and networks become
entrenched in society, both our dependence and vulnerabilities are increasing. In light of this
transformation coupled with more visible security threats globally, individual (personal) and
collective (societal) privacy have been impacted in significant ways. The intersection of the
compelling need for security and the expectation of personal privacy has created the demand for
institutional and social division. How to craft risk policy that achieves the appropriate balance is
the topic of this chapter.
Essential infrastructure used by the government and the private sector has become
increasingly dependent on inter-connected computer networks. That dependency creates
vulnerabilities. Cyberattacks, for example, are seemingly more frequent, more visible, and more
damaging. The rapid advancement of technology often races ahead of legislative controls and
sensible corporate protocols. “As technology gives rise to new possibilities, and people engage
in new forms of conduct, the law continues to be directed to solving old problems and is unable
to ‘keep up’ with the modern world” (Moses, 2011, pg. 763). Constitutional free speech
protections in the US are extensive and much of the speech related to terrorism, radicalization,
and extremism is protected under the First Amendment (Neumann, 2013).
Social media has become an essential tool for terrorists for recruiting and
communication. This underscore the complex challenges associated with technology growth and
sensible security policy. But addressing these risks can lead to a reduction in individual privacy
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 139
if the full impact of such new policy is not considered. Achieving an appropriate and generally
acceptable balance of security and privacy is subjective and is divisive.
Background
Global security concerns create fear in society. From deadly terror attacks to the hacking
of computer networks, the complex framework of security risk has raised complicated policy
questions. Creating appropriate security policy in light of the current risks and threats often
infringes on individual privacy. A security-privacy paradox is the result. Laws and protocols
associated with such perceived risks often put national security ahead of individual rights
(Wasko-Owseijczuk, 2015; Coaffee & Fussey, 2015; Pevnick, 2015). After the terror attacks of
September 11, fear of terrorists was so large that it became a priority to ensure safety, even at the
expense of freedom (Wasko-Owseijczuk, 2015). This dynamic gives rise to an ethical dilemma
and policy challenge. “Security of a person is under threat due to limitations imposed on human
rights while seeking to ensure national security” (Praneviciene, 2011, pg. 1609). As technology
becomes more pervasive in society, the security-privacy trade-off becomes a more urgent policy
issue.
A zero-sum game is a mathematically-based computation in which one side’s gains are
equally balanced with the opponent’s losses. The enforcement of security protocols and the
protection of privacy rights are often contradictory efforts. Security restrictions have evolved
significantly in the past decade. This evolution has led to increasing societal tolerance of
security protocols and concessions of privacy rights. As security increases, freedom and privacy
are equally reduced (Pavone, 2010; Ganascia, 2011; Praneviciene, 2011; Dean, et al., 2016).
Furthermore, it is not always clear these control strategies will be successful in their objectives.
“Government control strategies put in place to secure airports, monitor border entry points, or tap
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 140
telephone wires may not only risk limitations on civil liberties, but also fail in complex, dynamic
conditions” (Comfort, 2002, pg. 101).
This chapter summarizes how emerging technology and software tools, while they have
created unquestionable growth opportunity, impinge on personal freedoms. Research tools for
Internet tracking, GPS chips in cellular phones and tablets, and cloud computing all have privacy
implications and consequences. This zero-sum model creates an ethical dilemma of how best to
achieve the delicate balance between privacy and security.
Fear, Technology, and Privacy
Notable incidents of terrorism and violence over the past two decades have raised the
visibility of risks and threats. As a direct result, the fear of potential future terror attacks,
especially within the United States, has triggered policy changes. These terror incidents have led
to changes in laws, new safety protocols, and increased funding for intelligence and law
enforcement initiatives.
A transformative movement which favors security and safety over privacy has grown in
light of perceived risks and associated fears. Individual privacy rights have deteriorated and
security-centric restrictions have been socialized. Mass surveillance and exceptions to the
Fourth Amendment are examples of such changes. For example, warrantless wiretapping of
telephone communications and emails became common practice by U.S. intelligence agencies
after 9/11 (Shofer, 2015). Additionally, the USA Patriot Act created Fourth Amendment
exclusions to assist government agencies in, among other things, tracking terror financing
through institutional banking disclosure (Xhelili & Crowne, 2012). Giving up one’s privacy for
safety has been normalized. The urgent call to action by law enforcement officials and
legislators for more laws has grown louder with additional global terror attacks. In some cases,
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 141
fear-based politics have led to an increased level of security engagement by both the government
and the private sector.
Technology has played a powerful role in the evolution of security policy. This evolution
can be best illustrated by four examples: data mining, surveillance-oriented security technology
(SOST), geolocation tracking, and the institutionalization of information technology (IT) staff as
an essential policy stakeholder of risk management.
Data Mining. Data mining is the strategic aggregation, retention, and analysis of
previously amorphous or unmanageable information into usable, organized categories for
readability and clarity (Dean et al., 2016). There are several reasons why data mining is
important for business and for security. First, data can be used to create a competitive
advantage. Although this is not a new concept, emerging technology has created faster tools
with additional searching capabilities. Second, software tools are now commercially available
that allow for the real-time monitoring and the seamless retention of data for research about
consumer trends. More options to view data in different formats has expanded as well. The
trend will continue. Third, targeting certain demographics for marketing efforts has long been
considered an essential business strategy. Consumer behavior can be analyzed more effectively.
“Big Data is considered the key IT trend of the future, and companies want to use the masses of
data that we produce every day to tailor their marketing strategies through personalized
advertising and the prediction of future consumer behavior” (Cavelty, 2014, pg. 705). Business
operations can be optimized. This targeting effort aims to build knowledge about behavior and
to create better products for consumers.
Similarly, there are many examples of how data mining is currently used to enhance
security and safety. The same types of search tools, intelligence gathering software, and data
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 142
analytic algorithms can be used for security purposes. Those applications are broad and have
long-term policy implications.
Anti-fraud efforts, local crime prevention, and the tracking of defective products are all
examples of data mining tools and software applications that can be deployed to mitigate security
risks (Dean et al., 2016). First, financial institutions routinely use data mining to mitigate their
risks of fraud and theft. They use automated markers known as key indicators which allow them
to track potentially fraudulent banking activity. Furthermore, these tools are used to monitor
suspected terrorist and extremist organizations who are conducting financial transactions to
further their efforts and to coordinate attacks. “International terrorism is highly dependent on
good cash flow” (Irwin & Milad, 2016, pg. 408). Second, social media networks can be
monitored to track terrorists’ communications and to investigate potential threats. Data can then
be analyzed for predictive policing strategies by police departments. Third, pharmaceutical
companies can use data mining to assess a newly released drug’s side effects from blogs, social
media, and enhanced survey techniques. Each of these examples suggests how data mining can
collectively enhance safety, increase security, and mitigate risk.
Although the use of data mining for security and risk management has become somewhat
routine in recent years, it is not without its risks and important policy implications. Individual
privacy rights could be jeopardized if information is misused, mishandled, or distributed in an
unauthorized manner. Several key questions should be raised. For example, is this data stored
on-site or off-site? Who has authorization to view the data? If there is a data breach or theft,
does the victim organization have a crisis response plan in place? Consumers do not always
understand the complicated nuances of the law or what their privacy rights include. The large-
scale compilation of data can over-generalize statistics. If over-generalization occurs, findings
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 143
might be flawed. In some cases, consumer behavior can be tracked without their knowledge.
For example, intelligence agencies could monitor Internet search terms or other online behavior
unbeknownst to the user. This can lead to uncertainty and mistrust about how that data is
viewed, stored, and subsequently used. Further, false leads could result in innocent parties being
investigated by the police.
Some protocols that aim to protect people and enhance security can actually create more
vulnerability, make us less secure, and create a loss of individualism (Dean, 2016). This
illustrates the security-privacy dilemma since the search tools intended to uncover criminal
activity and terror plots are the same ones that might inadvertently reveal sensitive or private
information about law-abiding citizens. The development of thoughtful data management
policies and appropriate legal protections to safeguard individual privacy often lags behind
(Moses, 2011).
The safe management of big data faces a precarious future because this is a largely
unchartered policy area. Safeguarding this seemingly limitless flow of information creates new
challenges. These examples illustrate some of the benefits of mass data aggregation. However,
there are risks that the data could be mismanaged or exploited in an unethical or illegal way.
Even as data mining becomes a more established practice, the future policy challenges regarding
data security and data integrity create uncertainty.
Rise of Surveillance-Oriented Security Technology (SOST). Surveillance technology
in the form of security cameras is now more pervasive in society. In many ways, security-driven
resilience, and its execution through surveillance practices, is increasingly normalized within
modern society (Coaffee & Fussey, 2015, pg. 101). It illustrates the trade-off between privacy
and security. On one hand, the use of surveillance cameras to monitor designated high-crime
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 144
neighborhoods for both deterrence and prompt police response provides notable benefits. On the
other hand, the use of cameras to monitor daily activities can be perceived as intrusive and
overreaching.
The use of surveillance as a security enhancing strategy has a long history. A well-
known architectural design most often associated with prison construction provides a historic
illustration. The Panopticon that was designed in the eighteenth century as an architectural
model intended to reduce the costs of surveillance and improve its efficiency by allowing a
single guard to monitor multiple cells at once (Ganascia, 2011). This layout created a circular
design in which the guards sat in the middle of the structure and had an uninterrupted view of all
of the prisoners in their cells. The objective was to create operational efficiency by substituting
infrastructure-based tools to reduce labor costs and to expand visibility. It also created stronger
security controls since all of the prisoners could be watched from a single control room. Critics,
however, view this type of prison design as an intrusive control mechanism. They argued that
this design created long-term harmful psychological effects since their activities could now be
monitored remotely, which limited regular human interaction. This philosophy illustrates the
zero-sum concept of security and privacy.
The debate about security and privacy is often framed from a personal safety perspective.
With increasing fear levels and growing perceptions of security threats, society has become more
used to increasing surveillance technology. Tools of surveillance such as cameras, intercoms,
and card readers have become routine infrastructure in buildings and on street corners.
Recent terror events around the world have acted as a powerful political force. Tacit
approval is the result. The evolution of such norms has been incremental and organic. SOSTs
highlight one’s loss of privacy on a daily basis. Some citizens have become consumed with fear
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 145
and they perceive this technology as a requirement to keep them safe from harm. “As a
consequence, alternative frames, which emphasize not only the technocratic and authoritarian
implications of emergency security policies based on SOSTs but also the risks of function creep,
data commercialization and social discrimination, have been marginalized within the security
debate” (Pavone, 2011, pg. 557).
A sense of urgency has created a powerful wave of political momentum of policy that is
highly structured and restrictive. This evolution has policy implications since more restrictive
security measures have been normalized in society. “The direct threat to human security,
especially a threat that undermines acquired values such as anonymity, privacy, freedom of
speech, free access to information, etc. does not figure prominently in the policy discourse”
(Cavelty, 2014, pg. 704). Given the frequency with which terrorist attacks are occurring, strong
opposition to security technology and its reduction of privacy could be drowned out by fear.
Geolocation Tracking. The growing use of tracking devices via satellite links has been
significant. Tracking sensors are smaller and easier to install. As a result of this rapid growth,
the policy implications of such use have not been thoroughly vetted. Potential unintended
consequences have not been fully evaluated. One example is the use of cellular phones and
smart phones. “Information on real-time location, enabled worldwide and provided without the
consent of the individual, raises serious concerns on the privacy protection grounds, although
this may not be clearly identified as a privacy violation” (Kulesza, 2013, pg. 159). Questions
about how consumers’ behavior is tracked and under what circumstances that data might be
shared are also unresolved.
In light of such rapid technological growth, the use of tracking devices and location
sensors has figured more prominently in both security and non-security applications. These
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 146
types of tools, once limited to highly classified military operations and research laboratories,
have become mainstream. Computers, tablets, cellular phones, and automobiles are routinely
outfitted with tracking software. “According to recent research, mobile phone use patterns
provide a better tool for identification of individuals than their fingerprints, with even
anonymized mobile device data allowing the identification of individual users with 95 percent
certainty” (Kulesza, 2013, pg. 158). Many users are unaware that this type of technology is
being deployed.
For criminal investigations conducted by law enforcement, the use of geolocation
tracking technology has increased (Ramirez, King, & Ding, 2016). The basis for allowing the
use of search warrants to acquire private data through physical seizures or wiretapping can vary
from country to country. Establishing consistent standards is difficult because the assessment of
their necessity may be based on subjective factors such as the interests of national security,
public safety, or the economic well-being of the country (Kulesza, 2013). The use of geolocation
tracking technology will continue to increase as will the challenges associated with such growth.
The global policy implications of such technology have not been fully evaluated either.
For example, the laws in one country might restrict the use of geolocation tagging and tracking
from one’s mobile phone but those protections might not transfer to another country when you
travel. Some have recommended global laws. However, transboundary legal protections are
unachievable for a variety of reasons. First, courts in different jurisdictions have differed in their
interpretations of such protections. Second, there is great variation among different countries
regarding one’s right to privacy. The law is nuanced. Third, although some universal rules
regarding privacy have been documented in international treaties over the past few decades, the
law remains ambiguous in many circumstances. Even if neighboring countries agree on the
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 147
broad definition of privacy, the challenge in determining what factors should justify
relinquishing those rights is still a vital policy question.
Role of IT Stakeholders in Policy and Ethics. Information technology (IT) teams play a
crucial role with regard to privacy and security. They have multiple responsibilities depending
on each organization’s mission and objectives. These might include the responsibility to search
data for salient trends, develop data protection protocols, and respond to discovery requests from
the court. The IT teams’ data management role can help to determine critical market factors that
could impact sales decisions and support other non-security decision making. But their role has
grown beyond business operations and infrastructure support. IT now plays a very influential,
multi-functional role in maintaining the integrity of data and content. They have been thrust into
the role of an influential gatekeeper. They have powerful ethical responsibility as well.
While an IT team’s role in general business operations is valuable, their security role has
grown in scale and scope. They have become institutional gatekeepers of data. IT is routinely
establishing standards, setting protocols, and developing internal practices for data management.
As technology has advanced, data protection has become a common challenge for organizations
to protect their trade secrets and their proprietary company data. “In circumstances where
confidentiality is desired, the practical, moral, and technical challenges to maintaining privacy
are immense” (Dean et al., 2016, pg. 483). The same types of standards and privacy protections
must be implemented for customers as well.
Information is managed and tracked in different ways based on new tools. The process of
acquisition, analysis, and retention is the responsibility of the team. As the expanded use of such
data becomes an essential function for organizations, their vulnerability for mishandling
increases. Individual privacy can be easily overshadowed by business objectives (e.g.,
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 148
researching consumer behavior to increase sales) and profit objectives (e.g., selling customer
lists to other companies). IT has been abruptly thrust into a delicate balance between security
and privacy.
In the discussion of privacy and security policy, the powerful influence of IT teams has
been missing. Emerging technology has triggered expanded capabilities for data acquisition but
proper protocols have lagged behind. These groups have become powerful gatekeepers and
essential players in the process of managing risk from an operations perspective, but they have
not necessarily been influential in security policy development. This gap can make organizations
more vulnerable to a cyberattack if operational and strategic efforts are not coordinated.
The IT professional possesses broad power and it is critical that organizations create
ethical standards for the internal staff. Most of the legal protections related to data privacy and
information integrity are focused primarily on the end user (e.g., the consumer) not on the
internal processes or internal employees of an organization. This creates a vulnerability related
to individual privacy. For example, an IT manager who has expanded access to enormous data
repositories could compromise that information either through carelessness or a deliberate
criminal act. Making these challenges greater is the ever-evolving nature of information storage
technology.
The burden lies with the individual organizations therefore to govern their own policies
and procedures. The ethical management of personal identifying information stored internally
within an organization creates an ongoing need for sensible oversight. “It is imperative, then that
organizations define specific procedures, policies, and ethical codes to manage their IT and
electronic information ethically” (Desai et al., 2008, pg. 18).
When an organization produces high-value products (e.g., computer chips, jewelry, or
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 149
elite automobiles), they develop routine protocols related to the storage, transfer, and / or
shipping of those items to mitigate their risks of damage or theft. However, that level of
standardization is not always applied to intellectual property in the same way. The stakes can be
just as high. IT professionals therefore become powerful stakeholders in the process since they
have ultimate ownership of this data from a management perspective.
In a relatively short period of time, IT professionals have been thrust into positions of
power and influence in efforts to manage the complex balance of security and privacy. This is
unchartered territory fraught with risk. Clear role definition, organizational transparency, and
thoughtful policy development surrounding the ethical and moral risks of these essential
stakeholders is constantly evolving. “While information technologies present organizations with
opportunities to become more competitive, unsettled social norms and lagging legal guidelines
present organizations and individuals with ethical dilemmas” (Desai et al., 2008, pg. 19).
Factors to Consider for Policymakers
Policymakers are faced with a challenging task to resolve the contradictory relationship
between security and privacy. Important questions such as whether expanded government
surveillance has made us safer or whether the removal of terrorist propaganda from a website
harmed the group’s recruiting efforts are unsettled. There are a multitude of perspectives of how
best to address the security-privacy trade-off, but few are in agreement. Are we addressing the
threat itself or the fear embedded in that threat? “The threat of terrorism does not come from the
number of people killed, the threat is in the very nature of terrorism, the randomness of victims,
the symbol of the destruction of part of the culture of a state, such as World Trade Center, the
effects terrorism has on media and benefits terrorists obtained from the media obsession towards
them and their activities” (Pislaru, 2017, pg. 149). The evaluation of the differing considerations
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 150
should be a deliberate process.
One of the difficult aspects of this debate is how to measure performance. Is the absence
of a security breach or terror attack a reflection of brilliance? Is a successful attack reflective of
failed policies? The objective of this analysis is not necessarily to answer those questions but
rather to explore what are the most important considerations. “Beyond the ideological
disagreements, policymakers must contend with two competing, speculative risks: on one hand,
that of catastrophic terrorist attacks on civilians and, on the other hand, that of investigative
abuse compromising political freedom or doing other significant harm” (Bendix & Quirk, 2016,
pg. 400).
Furthermore, the only prediction that can be made with absolute certainty is that terror
attacks will happen and crime will never be eliminated. If, therefore, the collective group
concedes this, then the core objective for policymakers is simply risk mitigation. This perhaps
redefines how best we tackle the security-privacy dilemma. To further explore these potential
factors, it is important to contribute three additional conceptual themes.
Invisible surveillance: A continuation of the Panopticon theme discussed earlier in the
chapter, invisible surveillance is a sociological perspective in which surveillance,
tracking, and monitoring is an all-encompassing, immersive condition (Ganascia, 2011).
It defines a state in which full transparency and the complete lack of privacy create the
highest level of security and control. Technology is growing at an explosive pace and
will push us further toward this condition.
Digital Panopticons: A digital Panopticon is a term used to capture all of the technology-
centric devices that have become mainstream such as web-cams, cellular phone videos,
social media feeds, RFID tags, and other information technology devices which track
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 151
behavior, monitor locations, and provide live broadcast capabilities. This condition
creates a supreme level of transparency. “In many developed countries, personal data
concerning health, employment, income, travel, and digital communications are stored in
databases” (Ganascia, 2011, pg. 689). While the literature lacks consensus, it is not clear
exactly how this level of transparency makes any of us safer.
New terrorism: A progression of anti-terror tactics has taken a new form over the past
decade. This term captures the most prominent characteristics of this trend such as
radicalization, asymmetric warfare, homegrown violent extremism, and groupthink, all
terms discussed in prior chapters. “It is said to be motivated by religious fanaticism,
using extreme violence and possibly weapons of mass destruction, is increasingly
independent of the state and is organized in a networked structure” (Pislaru, 2017, pg.
151). New terrorism has been used as a policy justification for enhanced security
protocols, expanded police powers, and increasing surveillance as necessary strategies.
These three trends underscore the challenges in determining how security, transparency, and
privacy are positioned for the purposes of new policy development. Additional research will be
critical in years to come as society as a whole grapple with such trade-offs.
Conclusion
The use of data mining tools, surveillance, and tracking tools coupled with the expanding
role of IT professionals will be persistent themes in the process of creating appropriate security
policy. Data mining has become an essential tool for organizational efficiency and business
optimization. Surveillance technology in the form of security cameras and other technology-
based devices have become widely accepted, even if that acceptance has been passive. The
automated tracking of people through their mobile devices, computers, and electronic networks
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 152
is now relatively common.
An often assumed hypothesis is that stronger security protocols create a safer society.
But a security-privacy paradox has become apparent. As technology develops and perceived
risks increase, organizations will enact more restrictive protocols in their efforts to enhance
security. They will do so using a variety of tactics and strategies. These efforts might enhance
collective security but not without a downside. While in most instances these efforts are well-
intentioned, there are ramifications. The erosion of privacy rights and the degradation of civil
liberties are two examples. The security-privacy paradox will continue to create policy
challenges within an unpredictable legal environment. Recent literature has noted that some
state-sponsored efforts to enhance collective security have resulted in giving up individual
privacy. “It has been suspected for a while and is now confirmed that the intelligence services of
this world are making cyberspace more insecure directly; in order to be able to have more access
to data, and in order to prepare for future conflicts” (Cavelty, 2014, pg. 710). These efforts are
deliberately creating vulnerabilities in cyberspace to create more accessible and less secure
networks for their own purposes. The direct result is a world that might provide greater power
and latitude for law enforcement to track criminals online but simultaneously decrease individual
privacy.
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 153
Chapter 10 - Potential Responses
The security challenges surrounding the rapid growth of technology are complicated.
The solutions require a multifaceted approach and innovative thinking. The majority of security
threats are not new but they have evolved greatly with the introduction of technology. From
digital piracy of movies, and the dark web commercial exchange of child pornography, to online
radicalization of terror groups and social media as a highly sophisticated communication tool for
criminals, security threats necessitate new policy.
Networks are at the core of many organizational functions. They provide the backbone
for utility infrastructure, they link the world in an increasingly globalized economy, and they
allow people to interact and engage in new ways. “Existing public administration research
points to an increased focus on inter-organizational coordination, network solutions, and reforms,
with an emphasis on more holistic approaches, such as whole-of-government” (Christensen et
al., 2016, pg. 891). Networks improve operational efficiency and paradoxically create more risks
simultaneously. Emerging technology is the foundation for this transformation as networks
become integral to our various human ecosystems. Public utilities, building infrastructure,
government processes, and transportation are all examples of critically interdependent networks.
Network interdependence is expected to grow at a rapid pace. Processes will become
increasingly intertwined. “With the increasing interconnectedness of modern societies, the
potential number of future effects increases and thus the risks grow” (Kreissl, 2014, pg. 660).
The response to a polycentric problem like technology growth coupled with security
vulnerability requires the strategic utilization of three types of networks: individual, data, and
organizational. First, individual networks are strategic partnerships of teams within
organizations. Leveraging the value of networks by combining the information technology and
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 154
the physical security teams within organizations, known as convergence, has become the new
standard in policy (Walter, 2006; Chang, 2013; Jorgensen, 2014). Second, data networks link
information technology assets for greater efficiency. Enhancing the aggregation of data for the
purposes of improved performance is also known as big data analysis. Third, organizational
cross-sector networks allow disparate organizations to find common goals and objectives and
work together to achieve them. Efficient and value-rich relationships between separate
organizations underscore the value proposition that the whole is greater than the sum of the parts.
Collaboration, whether it be through teams of people, IT infrastructure, or amongst multiple
organizations, is at the core of the response to contemporary security risks and ultimately the
solution.
With every expectation that technology will continue to rapidly evolve, the need to
approach security policy with a thoughtful strategy becomes vitally important. This chapter
asserts three primary initiatives to best address these new challenges. They are convergence or
combining IT security and physical security departments, big data analysis to optimize
information for strategic implementation, and inter-organizational collaboration to improve
performance and cooperation between cross-sector organizations.
Convergence
Convergence is an organizational and structural adjustment which join two previously
separate domains into one within an organization. It aims to create a combined team for the
specific goal of addressing both electronic and physical threats together. This collaborative
approach improves process, reduces organizational blind spots, and optimizes resources. The
protocols must be interwoven into the identity of the organization. Most organizations will view
this type of change to be a radical shift in thinking, in approach, and in the underlying
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 155
philosophy.
IT security and physical security functions have traditionally been separate. The
segregation of these departments made business sense. After all, these players are trained
differently, have vastly different backgrounds, and often times even think differently (Anderson,
2007). Their budgets are separate, their reporting structures are unique, and their broader role
within the organizational structure varies. Yet collaboration between IT security teams and
physical security leaders is crucial to protect people and data.
The interconnectedness of information technology (IT) and physical security has never
been greater. “Long-term cost savings, elimination of redundant security processes, and the
centralization of security management, all provide powerful incentives for the convergence of
security processes” (Kinslow, 2008, pg. 86). While these new frontiers have created jobs,
boosted growth, and linked previously segregated business units, the risks and threats have not
been adequately assessed. The rapid level of growth has forged ahead in an uncontrolled,
unmonitored, and unstructured manner leaving a wake of vulnerability behind (Shultz, 2007).
As organizations of all types are increasingly dependent on networks for operations,
information technology departments, which previously focused primarily on infrastructure and
service, have been thrust into an essential role of managing risk. As a result of this
transformation, the need to strategically address security from a holistic perspective becomes
paramount to an organization’s resilience and longevity. If networks fail, operations come to
screeching halt and that impact both physical security systems (e.g., cameras, card readers,
alarms) and IT security (firewalls, information management, storage or proprietary data).
Additionally, the IT security functions depend on the physical security controls, and vice versa.
For example, the IT team might implement protocols for employees such as strong passwords,
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 156
dual factor authentication to sign onto the company network, and strict segregation of sensitive
data on servers. Dual factor authentication requires the user to provide two codes, usually a
typical password plus a randomly selected number from an application on their mobile device.
Both of these must be correct or the employee is not able to access the network. Even if IT’s
security protocols are very strong, but the physical office is easily accessible due to entry points
being left open by a careless security guard, the organization is at risk. These two disciplines
must be married together and their combined efforts must be thoughtfully coordinated. There are
several factors which have contributed to the need for the IT and physical security teams to work
closely. Social and technological changes have led to this evolution.
Social and Technological Changes. Interconnectedness, or the hyper-integration of
computers and networks in our lives, and digitization, or the electronic conversion of numbers
and data for enhanced accessibility, are two processes which have driven immeasurable growth.
The application of more complex levels of connectivity and expanding tools for data storage in
the future will require a comprehensive strategy that mandates a blended logical and physical
approach.
Interconnectedness. First, the interconnectedness of society has grown exponentially in
the past decade (Chang, 2013; Kreissl, 2014). The interconnectedness of networks creates
efficiency and optimization opportunities but also create new risks. The Internet of Things (IoT)
provides the best illustration of this increasing interconnectedness. IoT refers to the ability of
devices, appliances, and systems to be linked to a common device such as a cellular phone,
computer tablet, or laptop computer.
IoT links previously separate functions and operations through a Wi-Fi connection. These
devices send and receive data and usually integrate with a web-based, management interface.
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 157
Our dependence on IoT for logistics (e.g., garage door openers, door locks) and operations (e.g.,
home appliance controls) has evolved greatly. Given the increase in IoT-enabled devices, there
is a blurring of clear delineation between logical (IT) and physical security. “Smartphones, e-
readers, GPS-enabled cameras, tablet computers, and other gadgets are already having a
transformative effect on the development of our ecosystems by interlinking the cyber and
physical worlds” (Conti et al., 2011, pg. 2).
Other IoT applications are card readers, security cameras, and laptop computer theft
monitoring. Each example illustrates the dependence on networks for operations. First, card
readers regulate the entry and exit of employees in the workplace. When an employee swipes
their badge to enter a secure door, that electronic transaction and door-open permission is
predetermined by the configuration of a network. If that network fails, that employee’s physical
access might be denied or, worse yet, an intruder might gain unauthorized access. Second, the
use of security cameras to monitor and track people or events is another example. The cameras
are programmed on a larger network and their footage is recorded on servers which allow the
footage to be accessed for viewing when needed. As employees come and go within the
workplace (physical access), their actions are recorded on a logical software platform
(information technology network). This transaction underscores the strong reliance on
technology for basic operations and illustrates the ongoing interconnectedness. A third and final
example of the interconnectedness of devices and the integration of physical and information
security is a laptop. When a laptop is stolen, the theft of property is the initial act by the culprit
but the more valuable loss to the owner is the informational assets stored on the hard drive. The
response protocol and required follow-up investigation require multiple departments –both the
information security and physical security teams—to respond. Physical security will conduct an
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 158
investigation by interviewing witnesses and reviewing security cameras footage. The information
security team will shut-off the laptop’s connection to the internal network and remotely erase all
of the data and content stored on the laptop.
Digitization. Second, the expansive digitization of data and content has created a unique
set of security requirements. Massive amounts of data are constantly being transferred between
locations, servers, and devices. Technological advancements will bring different challenges and
unusual considerations at an ever faster pace as data becomes deeply integrated into our lives and
networks become ubiquitous (Jorgenson, 2014). The volume of information as an asset
continues to grow and intangibles have become valuable property that needs to be protected.
“Technological advances will bring new challenges and new considerations at an ever faster pace
as data processing and storage reach into unforeseen areas of our lives” (Jorgensen, 2014, pg.
291). Government infrastructure, banking services, power grids, and transportation services are
all heavily dependent on networks for operations. Large data repositories are often stored off-
site and at remote locations for businesses. Those repositories have to be maintained and secured
while providing uninterrupted access. “A key element that characterizes the cyber physical
convergence is the huge volume of data, coming from many heterogeneous sources, that is
flowing from the physical to the cyber world (and vice versa) and that requires appropriate
handling” (Conti et al., 2011, pg. 5).
Benefits of Convergence. There are many benefits to integrating electronic and physical
security functions within an organization. Collaboration between departments is not uncommon
but convergence takes it a step further. It does so by formalizing previously ad hoc processes
and cross-department communication. Convergence creates a single, dedicated unit whose
primary focus is security policy and risk mitigation for both physical and cyber security threats.
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 159
There are five primary benefits of convergence. It allows for the creation of a company-
wide strategy, it optimizes existing processes, it improves business efficiency by leveraging new
tools, it improves an organization’s crisis response capabilities, and it raises broader security
awareness amongst the workforce.
Enterprise Risk Management. First, convergence allows an organization to create an
enterprise risk management (ERM) program. ERM consolidates all risk management functions
and skill sets and aligns them with the long-term, strategic objectives (Anderson, 2007).
Convergence combines previously separate functions into one which sets the foundation for
broader and more visionary efforts to address risks and threats. This addresses security
challenges, both logical and physical, from a holistic and visionary perspective. ERM combines
previously separate functions under the direction of one leader. This leader can oversee the
entire security function more effectively by creating solutions which leverage existing logical
and physical assets (systems and people). Cross-functional oversight reduces bureaucratic
slowdown and allows for broader visibility since leadership is more centralized and
communication more structured. Computer network vulnerabilities provide a compelling
illustration. For example, hacking is one of the biggest threats to any organization. It requires a
cross-functional strategy which involves security, IT, and operations teams to work together.
Since hacking can be perpetrated by electronic means (finding weaknesses in network security)
or by physical means (persuading an untrained insider to provide revealing information), a
blended approach is vital to combating this rapidly growing form of computer crime. ERM
solutions are also more scalable so that the rapid growth of an organization does not
automatically create undue risk exposure.
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 160
Optimize Business Processes. Combining IT and physical security teams creates a more
efficient business operation. The most obvious benefit of convergence is streamlining the
separate security groups into a single program to reduce overhead and duplication (Anderson,
2007). When logical and physical security teams are segregated, information can be missed. To
illustrate this challenge, consider the use of security surveillance cameras. As technology has
evolved, it has become more common for security departments to run their security cameras over
IP networks instead of outdated analog systems. The cameras are the responsibility of the
physical security manager but IT has control of the IP network which creates oversight and
accountability vulnerabilities (Rahman and Donahue, 2010). This vulnerability can occur even
at well-managed, mature organizations because the processes are not aligned and the groups are
not communicating effectively. Sometimes the solutions are redundant or, worse, they might be
missed altogether.
Leverage Technology. Convergence allows organizations to exploit new technology to
their advantage in the same ways that adversaries use it to further their maligned efforts. Instead
of uncertain growth associated with new technology, using new tools to mitigate risks can place
organizations at a distinct advantage. As the IT department becomes aware of new technology,
they can share this information with their colleagues on the physical security team in a more
efficient manner.
Enhance Crisis Response Capabilities. Fourth, convergence improves crisis response
capabilities. It allows both IT security and physical security teams to respond more quickly to a
crisis such as a network intrusion. The 2014 computer hacking incident involving Sony Pictures
Entertainment in Los Angeles underscores the importance of having information security
management teams working closely with physical security teams. Sony had already created a
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 161
well-integrated team of both IT security and physical security experts. When the head of
physical security first became aware that the company’s internal network had been hacked and
overrun by adversaries, his first phone call was to his counterpart, the head of IT security. The
two had to make quick decisions in a dynamic and high-pressure atmosphere about how to
respond to this crisis. The corporate network was under the exclusive control of adversaries.
Because of their close working relationship and coordinated efforts, Sony was able to quickly
respond and begin their investigation.
Raise Awareness. Finally, the combined effort of IT security and physical security helps
to raise awareness and improve training within the organization. The most effective security and
risk programs involve collective awareness amongst the entire workforce, not just the specialized
departments or divisions. Changing culture is often a difficult task but if multiple groups are
driving those efforts, there is a higher degree of success. Awareness and training is far more
effective under a convergence model of delivery. When both groups deliver training, it is
emblematic of teamwork, collaboration, leadership support, and so on. Bridging the network
security with broad employee awareness can be achieved through ongoing training. Training
aims to raise awareness. For example, organizations who embrace initiatives like clean desk
policies so that sensitive documents are not left out in the open, restrictions on the use of flash
drives which limit the transfer of sensitive or confidential data, placing paper shredding bins in
visible locations, providing guidelines on printer use (e.g., prohibiting certain documents from
being printed in hard copy form), and restricting access to certain floors or office suites can all
mitigate risks of leaks, breaches, or thefts.
From operational efficiency to enhanced crisis response and improved awareness
programs, the convergence of IT security and physical security improves an organization’s
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 162
response to security. “Integrating physical and logical security maximizes existing investment,
minimizes impact on workflows and improves risk management, as well as guaranteeing
compliance with industry standards” (Walters, 2010, pg.8). Convergence is more than
simplifying the reporting structure, rather it strategically integrates process and function. The
strong dependence on networks and new forms of data storage for intellectual property will
continue to create complicated challenges. These challenges dictate the need for thoughtful
policies and procedures to mitigate risks.
Barriers to Convergence. The pathway toward combining previously separate
departments is not always predictable and convergence, even with all of its benefits, is not
without its challenges. In order to effectively address emerging risks and threats in a holistic
way, two previously disparate groups must work together in creative and innovative ways.
Information security teams and physical security teams have long operated in parallel (Rahman
and Donahue, 2010). Collaboration between the two is not enough. Working together involves a
much higher degree of commitment and integration. There are five primary barriers to
convergence.
Different Career Paths. First, IT and physical security have different career paths. The
professional backgrounds and experience of the two groups are vastly different. Physical
security leaders typically have law enforcement or military experience. They tend to be less
technical and more strategic.
Experience Levels. Second, because the career opportunities for physical security
managers and directors lend themselves organically to former and retired police officers or
federal agents, there tends to be an age differential as well. As a result, physical security
professionals are often older than IT leaders. This difference can cause internal conflict due to
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 163
the generational gap.
Technical Expertise. Third, information security professionals have advanced technical
training (Anderson, 2007; Rahman and Donahue, 2010). Many IT jobs require advanced
degrees, professional designation, and industry-established certifications. They are more tactical,
administrative, and managerial but less strategic in their approach.
Salary Differential. Fourth, while regional demand, global trends, and the job market
factors can play a role, information security professionals earn higher salaries as well (Rahman
and Donahue, 2010). This lack of parity can be justified because the job requirements and the
prerequisites are different.
Budget Allocation Conflict. Fifth, budget prioritization and resource allocation can lead
to conflicts and infighting (Anderson, 2007). When the two disciplines are overseen by a single
manager, the allocated budget and approval process can be difficult since both disciplines require
resources for their projects. This challenge can create conflict between the two disciplines.
Implementing convergence into an organization has additional challenges. It requires a
cultural shift which is often the most difficult hurdle to clear. Adjusting the reporting structure is
not easy. Both teams should report to the same leadership executive such as a chief security
officer (CSO), a chief information officer (CIO), or a chief risk officer (CRO). However, the
adjustment of the organizational structure does not automatically trigger a change in behavior or
processes. Collaboration between the two groups and the integration of processes and mutual
organizational objectives is most important. IT professionals and physical security professionals
must have an understanding and an appreciation for each other’s jobs. Regularly scheduled
cross-training is also important. Ultimately, the success of convergence depends on the outward
support of such an initiative by top leadership of the organization.
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 164
The security function must be rebranded in such a way that all employees feel like they
are essential components of a risk management program. They have to feel a genuine sense
engagement and responsibility for safety. If the collective organization can embrace the
philosophy that security and safety is everyone’s responsibility, restrictive security protocols are
more likely to be met with openness and flexibility.
Big Data Analytics
Technology growth over the past decade has created new and expansive opportunities for
data collection and analysis. The inter-connectedness of networks, the government infrastructure
that depends on critical technology, and cutting-edge data sources create new business
opportunities. Big data is a ubiquitous term used to define the enormous collection of
amorphous data across networks in all facets of life. Big data analytics is defined as the
optimization of massive amounts of data for strategic applications such as business processes,
operations, or planning. From daily traffic to power grids to health care files, big data has
become one of the byproducts of the immersive dependence on networks. However,
organizations of all types are typically not leveraging this onslaught of data. The aggregation
and analysis of such data is vital for long-term risk management strategies. Organizations need
processes that support optimal allocation of limited security resources on the basis of actual risk
rather than perceived vulnerabilities (Hentea, 2007). Furthermore, for public companies and
governmental agencies that are subject to regulatory spending guidelines, the justification for
projects or initiatives requires metrics and objective data. As a result, security and risk policy
has evolved greatly with an increasing emphasis on science and less on art. This changing
landscape dictates a new approach.
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 165
Technological Change. Using data to drive business decisions or validate resource
allocation based on metrics is nothing new, but technological tools have created new
opportunities. These tools allow for an almost limitless collection of data. This data must be
stored on servers and this, in turn, creates additional risk exposure. If the storage is not secure,
then unauthorized access creates vulnerabilities. Targeted attacks on computer servers and
network infrastructure could have catastrophic implications –both from a policy perspective and
a practical perspective—for security, safety, and business resilience. “Risk assessment is
foundational to these standards, but traditional risk measures are less effective in cyberspace,
where there exists high situational uncertainty and rapidly changing threats” (Collier et al., 2014,
pg. 70). Technology has created a dynamic and fast-paced environment in which threats are
constantly evolving. Security policies or software patches effective today may be ineffective
tomorrow. “Assessment mechanisms must continuously assimilate new information and track
changing stakeholder priorities and adversarial capabilities” (Collier et al., 2014, pg. 70).
Response Strategies. With large amounts of data constantly being generated,
organizations must create policies which safeguard the integrity of that information. An
organization’s response to rapidly evolving technology must be adaptive. The safe storage and
maintenance of this large aggregation of data dictates high-level organizational processes. These
efforts should involve extensive risk analysis and organization planning based on objective
standards and metrics tracked over time regarding how information is managed, who has access
to it, and how breaches are managed. Risk assessments, simulations, data aggregation tools, and
software-based automation are four examples of how big data can be utilized by organizations of
all types (Beachboard et al., 2008).
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 166
Risk Assessments. An organization’s approach to risk in today’s environment should
include an acknowledgement that preparation is more about establishing resilience and
appropriate responses and less about eliminating risks. A risk assessment is the first step in
developing a comprehensive organizational strategy of security, safety, and business continuity.
Risk assessment is a multiphase process: it starts with risk identification, proceeds to risk
analysis, follows with risk evaluation and ranking, and ends with the management of treatment
phases” (Ralston, Graham, and Heib, 2007, pg. 587).
The essential components of a risk assessment program can be summarized using supply
chain management as an illustrative case study. Managing global supply chains is an essential
business process for many organizations. Supply chain management, or the underlying process
which enables organizations to integrate different inputs for their business provided by varied
sources, brings great opportunity for innovation, research and development, and cost efficiency.
Products and supplies can be sourced nationally or internationally. Service can be improved and
delivery schedules can be expedited. However, disruptions to the process can jeopardize the
business operations. Some products are unique and can only be sourced from a single supplier.
If a disaster strikes, that company becomes a key dependency and a single point of failure.
Recent natural disasters such as earthquakes, tsunamis, brush fires, and hurricanes are all
examples of how unexpected events can block the delivery of valuable assets.
There are three basic phases of a supply chain risk assessment program: before
disruption, during disruption (as it is occurring), and post disruption (post-occurrence) (Kumar,
Himes & Kritzer, 2014). When companies are dependent on many different suppliers in the
chain, the stakes can be high. An important element for consideration is what the financial
impact might be including the costs associated with each piece of the process. Geographic
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 167
dispersion of these suppliers can create increased risk. To mitigate this risk, supply chains
should incorporate the following four strategies: establishing alternative vendor agreements,
overstocking essential products, cross-training employees on how to respond to crisis, and
providing an efficient and effective response plan which is capable of effective recovery (Kumar,
Himes & Kritzer, 2014). Each of these strategies has a strong dependence on data. The more
strategic use of data can create meaningful risk mitigation protocols.
In Phase 1, before disruption, an organization should thoroughly vet all suppliers. This
includes identifying what disruptions the company has previously faced, what type of response
protocol it has in place to mitigate risks, and whether other back-up suppliers are a viable option.
At this early stage, supply chain flexibility is recommended. Supply chain flexibility might
include alternative sourcing, secondary markets, or insurance to transfer risk. In some cases, pre-
crisis stockpiling of core components might be a financially sound approach. It is recommended
that each risk be assigned a rating of probability (likelihood) and impact (consequence). Using
software tools to aggregate inputs and synthesize data allow the organization to better understand
their risk profile given the multi-faceted nature of supply chain management.
In Phase 2, the reactive phase, organizations should have a multidisciplinary team in
place to respond quickly. The team should include the essential business units such as facilities,
finance, accounting, legal, and human resources. They should consider the entire impact,
including factors such as production or manufacturing deadlines, investor confidence, media
attention, recovery strategies, internal and external emergency communication, accounting
requirements, and overall financial impact. Again, software tools can optimize around an event
so that each department representative is responsible for the appropriate tasks and duties during a
business disruption.
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 168
In Phase 3, the post-event / recovery stage, all the steps and tasks developed in Phase 2
should be in place. Data inputs such as number of days or hours of downtime and financial
impact, cost differentials when an alternative vendor was engaged on short notice, and how the
supply chain risk rating evolved during the first two phases. An essential crisis manager who
oversees the process is obligated to ensure compliance. A post-action review, or debriefing, is
also vital to an organization’s long-term health. All data gleaned from the disruption should be
tabulated and tracked so that metrics over time can illustrate how the organization fares over the
course of history during a supply chain disruption.
The supply chain process is a core business function that depends on data compilation
and analysis. The use of risk assessments provides an illustration of how data might be
strategically used to reduce risk exposure and create redundant processes for potential
disruptions.
Simulations. The creation of models to simulate potential risks and threats is a valuable
second step of the risk assessment strategy. Crises often occur without warning. As a result of
this uncertainty, these events can have a powerful impact on an organization’s stability and well-
being. The ability to anticipate certain events through statistical modeling techniques creates the
necessary illustration for stakeholders to understand the depth and breadth of the risk. The
simulation aims to illustrate the financial impact of an emergency (e.g., 72 hours of lost business
will cost ‘x’ dollars) but without the actual result. Research has supported the use of simulations
as an effective means of understanding organizational behavior that can genuinely improve
knowledge about poorly understood systems (Beachboard et al., 2008).
Examples of such simulations might include a drill for the executive leadership team of
an organization. The prior is a tool which challenges the management of an organization with a
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 169
presentation by a facilitator. This type of exercise typically occurs in a controlled environment
such as a conference room with visual aids utilizing realistic but hypothetical facts. If
implemented effectively, it serves to organically help
Data Aggregation Tools. Technological growth has created an expansive list of tools for
data acquisition, retention, and analysis. However, pulling together multiple threads and streams
of unwieldy and amorphous data can be challenging or impossible. Inaccurate data jeopardizes
the value of the findings. The outputs from applications and tools are only as good as the inputs.
The coordination of both inputs and outputs are critical to adding value to the risk assessment
process. Organizations must develop and maintain baseline standard of risks and threats that
might impact their organization and what the potential impact might be. This is accomplished by
conducting a business impact analysis (BIA) of all the operations and functions in an
organization and how those operations might be impacted during an emergency. A BIA also
uses software to summarize how quickly certain processes and systems, specific to each
department, could be restored after a disruption. In doing so, the organization can determine
what level of tolerance they have for downtime. Once that is determined, they can take
proactive, remedial steps to improve process, increase resiliency, and streamline recovery
objectives.
Efforts to combat crime and terrorism provide an appropriate and timely example, one
that underscores how data can be valuable in policy creation. Law enforcement agencies deploy
resources based on data such as where crimes take place, where habitual offenders reside, and
where events are occurring in real-time (e.g., protests, sporting events, community fairs and so
on). These agencies utilize computer-aided dispatch (CAD) systems and predictive behavior
software tools (e.g., crime mapping in which times, dates, and locations of criminal activity can
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 170
illustrate trends to shape police deployment of resources). A CAD system links related events so
that strategies can be crafted to combat crime can be comprehensive. Predictive software uses
computer algorithms to group people, events, and places for data-driven policy decisions.
Federal law enforcement agencies like the CIA and FBI have been using similar tools for
decades but new technology has enhanced those capabilities by providing additional data points
and inputs so that the predictions can based on a more comprehensive set of factors.
The use of social media can also be a valuable tool to expand the data network. The
emergence of social media as a data mining tool for crime fighting is largely a new phenomenon.
“Social media is an increasingly utilized forum to quickly obtain external intelligence on major
events in politics, legislation, the economy, weather, etc.” (Kumar, Himes & Kritzer, 2014, pg.
876). There are other data feeds that can also be evaluated such as weather patterns and their
potential impact on crime rates (e.g., there might be less property crime but more traffic
collisions when it rains) and real-time release data from jails and prisons.
The challenges organizations now face are how to strategically aggregate all of this data
so that it can be leveraged for improved policies and impact. Police departments, for example,
typically have limited IT budgets and these tools can be expensive. Furthermore, the emerging
data aggregation technology available today is in a transition period and it is often untested. An
effective crime fighting tool requires highly developed data for both aggregation and synthesis.
Speaking more broadly, organizations that are intent on holistic risk mitigation policies must
clearly understand how data can be leveraged to their advantage.
To better illustrate the role of data aggregation tools as part of a risk assessment, we turn
to a case study. The United States Border Patrol (USBP) is a federal law enforcement agency
tasked with securing the national borders. Of particular concern is a 2,000-mile land border
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 171
which includes nearly 100,000 square miles between the northern portion of Mexico and the
southwestern portion of the U.S. In the fiscal year 2010, USBP agents apprehended 445,000
illegal aliens and 2.4 million pounds of marijuana in this specified region alone (Levine &
Waters, 2013). Because of the wide area of jurisdiction, the high degree of violence associated
with this region, and overall political and social instability, a risk assessment was ordered by
federal officials. The rationale for the risk assessment was to ensure that limited resources were
being efficiently deployed and managed. The agency hoped to validate successful processes and
discontinue failing ones.
The USBP assessment capitalized on the newest techniques of data aggregation and
analysis. The new techniques involve the data aggregation of factors such as the total number of
arrests at the border, satellite imagery of crime hot spots, and security camera surveillance to
enable the deployment of staff to be customized based on data-based predictive models. The
assessment considered crimes, regions, and trends. Pattern and trend analysis refers to the study
of historical data to understand how best to deploy resources in the future (Levine & Waters,
2013). Some of the internal resources that the study analyzed were the number of border agents,
fencing, security cameras, police dogs, mounted patrols, and all-terrain vehicles. Arrest records
and field investigations were also evaluated. These resources were evaluated on the basis of
costs, ease of implementation, and ongoing maintenance needs.
The risk assessment identified four potential organizational barriers which could create
limitations in the overall findings. Those were: “transparency, ability to be executed by non-
specialists, methodological soundness, and the ability to be executed with the analytical
resources at hand” (Levine & Waters, 2013, pg. 1283). The research must be transparent based
on the fact that some of the operators who are using the data do not possess advanced skills in
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 172
this area and they need to clearly understand the relationship between the inputs, the resources,
and the final results. Second, the system must be able to be managed by non-specialists. Third,
the methods used to conduct the assessment must be sound and consistent with industry
practices. The study would ultimately determine how the government deployed resources for
years to come. Fourth, the equipment and hardware currently in-use by the USBP must be
adequate for the implementation of action items and recommendations. No additional budget for
equipment or labor was part of this assessment. Figure 1 identifies the risk assessment process.
The specific findings of the risk assessment were not shared publicly nor are they an
essential component of this chapter. But the assessment highlighted some of the objectives of
any assessment and the associated challenges of such a process. If executed properly, any
organization can greatly benefit from the findings of their assessment through the sophisticated
analysis of readily available data.
Figure 1. Risk Assessment
Process (Levine & Waters, 2014).
COMMUNICATION
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 173
Software-based Automation. The fourth and final component is closely related to the
data aggregation discussed previously but with one additional layer. The process by which data
is accumulated and managed must be reliable and accurate. As organizations become more
dependent on networks for their operations, their reliability and security are vital. In order for
this information to be accessible and usable for internal teams, it must be accurate, timely, and
appropriately maintained.
Software has been an essential component in the overall growth of technology. It is
fundamental to an organization’s ability to monitor and track threats. Software-based
applications specifically used for automated tracking of data exist in a variety of industries and
settings. If properly implemented, these tools can provide reliable and accurate data storage that
reduces the workload on staff and creates new opportunities for improved efficiency.
There are several examples of how software-based data tools can be implemented within
organizations to create enhanced efficiency, reliable auditing, and improved performance. For
example, electronic discovery, or eDiscovery, refers to the storage and transfer of electronic
communication and content that might be required during litigation or investigative purposes.
Network tracking and tracing monitors an organization’s internal communication for concerns
related to workplace violence. Emergency communication software tools maintain an updated
and accurate list of employees for accountability. This tool can be activated during a major crisis
to reach all members of a company or create a phone conference for the leadership team of a
government agency during a regional disaster. Some aggregation tools exist which track events
that occur in close proximity to company offices. This allows the security team to remain
consistently informed about nearby events and how to best respond if needed. Other tools
provide a platform to track the behavior and locations of known offenders or attackers.
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 174
Crime prevention efforts using data have become more common as new tools become
available. “General cross-jurisdictional crime data repositories are positive examples of
strategic, core-competency alignment with measurable outcomes” (Avina, 2011, pg.283). The
most well-known data-driven approaches for law enforcement efforts date back to the 1990s in
New York City with a software program called CompStat. CompStat analyzed inputs such as
local crime data and officer beat assignments into a user interface to drive deployment and
strategic decision-making. Using this tool allowed police initiatives to be mathematically
validated based on actual needs. The Compstat program was among the first of its kind and the
main objective was to understand the relationship between crime and the locations in which it
occurs. For years prior, historical operational plans and intuition were more heavily weighted
than statistics. Even with the expanded accessibility of data enabled by the advancement of
technology, the change in culture has been gradual.
In returning to our discussion of global supply chain and the USBP data aggregation
project as illustrations, we can draw several policy lessons that could be applied to a variety of
organizations. First, a data-driven business model will mitigate risks and threats facing
organizations by validating effective policy and critically questioning ineffective ones. Second,
the strategic use of data can be beneficial in setting goals and establishing priorities. Third, the
strong potential exists to achieve cost savings in the long-term based on a mature model of
deployment (e.g., government agencies such as USBP) or business processes such as the supply
chain. Fourth, the detailed review of what impact certain risks may have on an organization
allows it to plan more proactively to mitigate the impact of unexpected crises or emergencies.
From a policy perspective, data-driven decision-making will continue to be an essential
process. The ad hoc and often disorganized aggregation of data, facts, and figures will continue
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 175
to transition to a more refined and streamlined process. If this transformation is effective, it will
provide opportunities to improve performance while simultaneously reducing risk. Big data will
play an increasingly vital role in managing risk. As new policy is crafted to manage explosive
technology growth associated with networks and integration of systems, security should continue
to be an essential consideration.
Organizational Collaboration
Thus far we have discussed people-based networks within organizations and how those
structures might be combined for added efficiency. We have also covered data networks and the
benefits (and challenges) associated with big data aggregation. The third and final proposed
response is organizational networks and how collaboration can be used to develop effective
policy. Security policy and its intersection with technology growth have raised challenging
questions. Collaboration through cross-sector coalitions has become an essential response for
complex problems. Recent literature has pointed toward an increasing need for a more proactive
approach to cross-sector partnerships. This response aims to bring together a larger, more
cohesive group with a diversity of skills and added resources. How collaboration might be
effective in the development of security policy is of particular interest here. “Inter-
organizational efforts to solve ‘wicked problems,’ such as terrorism and disaster response, are
frequently contingent on the intervention of policy makers to ‘connect the dots,’ by mandating
local agencies to improve coordination, communication, and collaboration to address cross-
cutting issues” (Randol, 2012, pg. 308).
Collaborative partnerships between organizations can be an efficient way to provide
improved services, share risks, and develop lasting relationships in a broader region. A broader
network can provide additional strength in pushing strategic change. “Because of the Internet
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 176
and globalization, the world has become a complex system, made up of a tangled web of
relationships and other interdependent factors” (Taleb, Goldstein, & Spitznagel, 2009). Key
stakeholders can shape these efforts. They can determine where the organization fits within this
regional framework and what partnerships have the most powerful influence. However, not all
organizations view outside influence or regional participation in a positive light. There are also
uncertainties about the overall effectiveness of collaboration. The following section provides a
background on organizational networks, the successful formation of these alliances, and the
challenges in forming effective partnerships.
The global economy and emerging technology have resulted in an increasing network of
cities, states, and countries for commerce, trade, and culture. Security concerns and risks have
evolved due to a globalized economy. Globalization has not necessarily created new problems
but rather added to the complexity and increased the magnitude of existing ones. Many new
challenges and problems are unsolvable without regional strategies and global initiatives.
Individual organizations now play a crucial role in a much wider spectrum of interdependence.
A collection of local successes can have a more regional impact with long-term social and
economic benefits. Reciprocity and regional problem solving between agencies is an achievable
goal. However, there has been some resistance to this approach for a variety of reasons.
Enhancing networks, creating coalitions, and driving strategic partnerships in response to
difficult challenges have been widely used in both government settings as well as some private
corporations. But the formation of such alliances is largely reactive. The partnerships are ad
hoc, fleeting or temporary, and sometimes ineffective. To address security-related problems
(e.g., global terror, online radicalization, or digital piracy) by tapping existing resources and
networks that already exist seems fundamental to success. In order for this approach to be
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 177
effective, it must be proactive (Pelfrey, Jr., 2005; Avina, 2011; Randol, 2012; Bures, 2013;
Waugh & Sylves, 2015). Effective policing serves as an appropriate illustration for this
discussion. Police reformist literature, for example, frequently identifies collaboration as the
most vital component for achieving meaningful improvement in public safety service provision.
“Collaboration should be the primary feature in the design, implementation, and assessment of
police reform policies” (Pliscoff, 2009).
Forming Networks. As global interdependence stretches across more states, regions, and
continents than ever before, researchers are seeing an increased dependence on collaborative
ventures to achieve goals and address challenges using innovative and creative partnerships.
There are various types of professional networks which bring the appropriate teams together to
collaborate. As such, it is helpful to understand the basic framework of management networks to
understand the important role of collaboration in effective service delivery. Milward & Provan
(2006) discuss four types of management networks: service implementation networks in which
organizations work together to provide services to clients, information diffusion networks which
share vital information across sectors, problem solving networks to address specific, proximate
problems, and community capacity building networks whose purpose is to build social capital in
the community to better address ongoing and future problems. In the security arena,
collaborative efforts have taken on several different forms. Some of those efforts involve the
sharing of resources between municipal police departments. Others involve public and private
partnerships in which government organizations have established outreach programs to improve
communication and neighborhood relations. Private organizations can partner with law
enforcement to provide financial support, to share information about pending investigations, and
to engage with key community groups. Finally, global alliances, for example between U.S.
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 178
federal law enforcement and European national police, have been formed to better address
security risks around the world. Two examples of how strategic networks can be leveraged to
more effectively address complex problems are discussed below. They are regional fusion
centers for intelligence gathering and task forces to combat crime.
Fusion Centers. A critical post-incident assessment following the terrorist attacks of
2001 revealed that vital information had not been thoroughly analyzed, threats had been
mismanaged, and investigations into potential criminal networks failed (Kean and Hamilton,
2004). As a result, fusion centers were formed around the United States to improve
communication and coordination among previously disparate agencies.
The Los Angeles-based fusion center, known as the Joint Regional Intelligence Center
(JRIC), is an example of an effective multi-agency collaboration. The agencies involved include
police departments, fire departments, and emergency services (e.g., the Federal Emergency
Management Agency). This partnership among government agencies has grown stronger in
recent years. Emergency service personnel from surrounding jurisdictions share information
daily in a single facility. This network illustrates how collaboration between multiple
organizations can help to accumulate and synthesize mass amounts of terrorism intelligence.
The goal is to promote regional safety. Considered to be a problem-solving network, the JRIC
utilizes a diverse group of government agencies and shared resources to meet its goals. The
group conducts daily briefings and interacts regularly with similar coalitions both statewide and
around the country. “The U.S. government should appoint a leader of an inter-agency fusion
center that can cross traditional policy, law enforcement, and intelligence lines to forge
information from all these worlds and then use appropriate U.S. leverage –law enforcement,
financial, regulatory, covert, or diplomatic– to stop these trends” (Novakoff, 2016, pg. 147).
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 179
This progressive strategy and resulting synergy allows information to flow more freely and
enables complex problems to be addressed. By all accounts, this is a very effective and well-
managed network and information consortium, growing in size each year. Unfortunately, this
initiative took shape only after the terrorist attacks of 2001, which underscores the often reactive
nature of collaborative networks.
Task Forces. Task forces are multi-agency alliances formed to combat specific crime
problems. They differ from a fusion center in that they have a very specific task or assignment
whereas a fusion center has broader objectives like county-wide intelligence gathering, and
developing community partnerships. After an increasing number of high profile crimes being
committed across borders gained worldwide attention, a coalition of multiple organizations
formed in Brazil. It was clear to law enforcement that the perpetrators were taking advantage of
the inherent challenges in prosecuting transnational crimes. An increasing number of crimes
involving peer to peer (P2P) networks, child pornography and intellectual property (copyright
violations) had become harder to enforce across national borders. Brazilian police officials
deployed two large operations to combat these crimes by bringing various regional and
international law enforcement groups together to form a task force, including the recently
merged U.S. Customs and U.S. Border Patrol (CBP). The resulting arrests and prosecution of
offenders increased. It is unlikely these efforts would have been as successful without the
coalition of the key stakeholders. “These operations were very successful and became references
for employing a new paradigm in internal and international cooperation” (Fagundes, 2009, pg.
29).
Another example of a successful task force occurred in California in 2007. The Farm
Watch task force, formed by multiple organizations including law enforcement to address
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 180
agricultural crimes, has been effective in reducing this type of crime. Ventura County in
California is known for its agricultural industry. The region experienced a spike in farm-related
crimes such as vandalism and theft of expensive farming equipment. Due to the vast area and
multiple police jurisdictions where these crimes were occurring, a strategic plan was developed.
In an effort to stem the rise, a coalition of farmers, employees, and law enforcement agencies
joined forces. With the use of cell phone cameras to take pictures of suspicious people, a more
structured and trusted information diffusion program in place, and timely reporting by police,
several key arrests slowed this rise in crime. A dedicated Sheriff’s Deputy “compiles
information about patterns of thefts, suspects, and crime-prevention tips and emails the
newsletter to about 350 Farm Watch members, who pass the tip sheet on so it eventually reaches
more than 700 people in Ventura County” (Saillant, 2009, pg. 1). After the Farm Watch program
began, crime dropped nearly 24% from the previous year. A similar program in California’s
central valley was created nearly a decade ago to combat crime, especially theft of harvest during
the night. The Central Valley Rural Crime Task Force “is part of a larger network of 13 counties
that use satellite and other surveillance technology in the fight against crime” (Saillant, 2009, pg.
2). The task force also works together to build stronger cases for enhanced prosecution against
suspected thieves. The partnership is vital for success. Not all of the efforts to leverage
networks for societal benefits have been successful, however, so it is important to explore why
and under what conditions barriers exist.
Barriers to Collaboration. Creating effective networks is a challenge to many
organizations. Many coalitions are well intentioned but do not create measurable progress.
Some become procedural or superficial only and fail to develop missions or objectives. The key
stakeholders must embrace the alliance, set a path that welcomes advancement, and collectively
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 181
agree to regularly assess its effectiveness. The general barriers to change might include poor
training, ineffective communication, or a lack of a collective mission (Carter and Phillips, 2015).
A commitment amongst all the participants is crucial. Weak execution, inter-agency
collaboration, threats to economic stability, internal power struggles, and the inability to change
are all examples of barriers that prevent networks from succeeding.
Technology’s Impact on Community Relations. The partnership between corporate
security leaders and police has become integral to security and safety. Public-private
partnerships and alliances allow for a more cohesive strategy in fighting crime. Technology has
changed the way that police perform their duties and interact with the public. In many cases,
technology tools used as service delivery model can actually decreases public interaction and
community participation. For example, online service offerings such as disputing a ticket, filing
a crime report, requesting a parking pass, or submitting a permit request all eliminate the human
interaction component. Criminologists have studied whether the advance of technology has led
to a reduction in more personal, interactive engagement and whether police-community relations
have suffered as a result. In other cases, police departments have moved some officers from
street-level patrol to technology-related desk positions. It raises questions of whether computers
are improving efficiency but also reducing police—community relations. In this context, it must
be established whether the increased dependence on computers and technology for police
services is a truly productive shift. The technology purchased must be uniquely suited to the
department’s needs. Often it is not. Additionally, some of the emerging technology is still in its
infancy so that glitches, bugs, and general maintenance can be time-consuming and expensive.
Inter-Agency Challenges. Inter-agency cooperation continues to be a key policy
challenge. With so many public agencies, whether municipal, county, state, federal, or
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 182
international, the communication between these organizations can be bureaucratic and
inefficient. The Department of Homeland Security, emerged after a review and investigation
into missed cues or investigative leads relating to the terrorist attacks of September 11, 2001.
The intent was to bring resources together, build more coalitions, share criminal intelligence, and
have a more effective response to global terrorism. It is an enormous organization in size and
scope and oversees dozens of organizations. Critics worry about how effective its efforts will be
and whether the size could be a hindrance in implementing change in a highly dynamic security
setting. Since their objectives should be aligned, the ability for them to share goals and resources
is important. Their initiatives are interdependent. Ideally, their efforts should focus on a holistic
approach and create a synergistic relationship amongst all of the departments. The diversity of
stakeholders in the justice system is often criticized for being too fragmented, which can result in
inefficiency and ineffectiveness (Gaines & Kappeler, 2005).
Threats to Economic Stability. Organizations sometimes see a regional approach to
problems as a direct threat to their financial stability and elite status. They perceive that a
partnership with other agencies could mean the sharing of resources. Some fear that they will
have to give up limited resources as part of the collaboration process. This financial elitism is a
powerful force when it comes to initial planning, regional problem solving, or joining multi-
agency task forces. Furthermore, collaboration can create a unification of elites toward their
quest for growth to expand their power, influence, and wealth. They perceive that service could
decline, limited resources could be lost, costs could go up, or localized decision making could be
jeopardized.
Power Struggles. A more regional and collaborative approach is also hindered by power
struggles and strong egos. They firmly define their own identity and are not always amenable to
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 183
outside influence. “For cooperation and collaboration among municipalities and other local
governments to take place, the benefits must outweigh the costs such as loss of autonomy and
‘turf’” (Morton, Chen, & Morse, 2008, pg. 78). Many are slow to relinquish or share power, are
territorial, and even perceive other agencies as competitors even when it could dramatically
improve their problem solving capabilities. Additionally, networking with other organizations
could dilute or redistribute their power and influence. In many cases, this redistribution might be
reassuring to the taxpaying public, but this power struggle becomes a paralyzing force against
working together effectively. Even the key constituents (e.g., residents in the case of a
government agency, voters in political alliances, or employees of competing companies) are
often reluctant to support collaboration.
Reluctance to Change. The internal culture of organizations does not necessarily
promote collaboration. In the case of government agencies, there is little incentive for change or
innovation. Police departments in particular tend to be entrenched in tradition and are often
resistant to change (Yuksel, 2015). “For example, public organizations tended to interact most
frequently with other public organizations from the same jurisdiction; private organizations with
other private organizations; nonprofit organizations with other nonprofit organizations”
(Comfort, 2002, pg. 104). Federal law enforcement agencies do not promote or incentivize an
entrepreneurial philosophy. They consider themselves effective if they meet their annual budget
goals and provide public service. Corporations often see their problems as unique and
impossible to solve any more efficiently with partnerships. Furthermore, corporations can often
become entrenched in layers of internal policies, proprietary technology, or customized
processes which cannot be easily applied externally.
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 184
Conclusion
Organizations can be transformed and grow with meaningful collaboration. It can often
lead to inward looking assessments to review their processes. Collaboration can trigger updates
to technology and refresh outdated policies that might not have been discovered without
collaboration. A synergistic effect can frequently benefit multiple stakeholders. Networking
expansion that brings people together to achieve a common purpose, pursue the same goals, and
gain clarity about internal objectives are possible positive benefits. Collaboration will become
vital for public, private, government, and nonprofit organizations to address a more global
economy and regional social problems. Creative problem solving needs, coupled with limited
budgets, will likely force coalitions to emerge. Organizations will evolve in new ways.
Meaningful relationships within these networks will undoubtedly foster a new sense of
management. However, the challenges facing organizations, especially those with a global
presence, are great. Strategic partnerships must be functional and pragmatic.
Responses to rapidly advancing technology must be focused on improving process and
partnerships. The merging of previously disparate functions like information technology and
physical security creates internal synergy and a force multiplier for problem solving. Data
collection must be leveraged in strategic ways to improve process and service delivery.
Collaboration amongst organizations with common objectives will provide opportunities for
intelligence sharing, cost management, and improved communication. Admittedly, each
organization’s security and risk profile is different than the next. However, the fundamental
commitment to networks of all types for progress should emerge as a standard best practice.
Organizations must optimize around emerging technology to better adapt to the rapidly changing
threats that face them. Those who do not create structured and reliable approaches to the
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 185
complex problems that they face will be vulnerable. Traditional modes of operation are no
longer suitable in this environment. Adversaries are both intelligent and adaptive. Security and
risk policies which do not acknowledge such an evolution will see their challenges grow with
time.
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 186
Chapter 11 - Future of Security Policy
Managing risk will continue to be a complex challenge for security professionals and
policymakers. As new threats surface, they will take on different forms. Effective strategies
today could quickly become obsolete. The analysis of security requirements must be adaptive
based on changing requirements. The dynamic, fleeting condition of technological growth will
create organizational instability. This concluding chapter covers three areas: implementation
challenges, a quick reference guide of policy recommendations, and research limitations
including topics not covered in this project.
Implementation Challenges
The complexity of security challenges will demand high levels of innovation and
creativity from policymakers. The implementation challenges will be significant. The leaders in
this space will be required to navigate around legacy processes and stale protocols. The
organizations in which this implementation needs to occur could be unaccepting of change.
There are five characteristics about the future of security which can provide a summary of the
challenges ahead.
Evolving nature of technology. The growth of new technology knows no bounds. The
rapidly changing environment will continue to prosper and security challenges not known today
could become a critical need tomorrow. In other instances, a low-level security challenge could
grow overnight and dictate an urgent response, sending practitioners scrambling for answers.
The impact of topics like the dark web, IoT, cryptocurrency such as Bitcoin, and semi-
autonomous vehicles are expanding. Their relatively recent emergence into the spectrum of
security and risk means that the story is yet to be told. Traditionally, security processes are often
more reactionary. The dynamic condition of technology growth will amplify the need for
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 187
policymakers and practitioners to be visionary otherwise their efforts could be fruitless.
Lagging legal framework. Many of the challenges discussed throughout this paper
either directly or indirectly have legal implications. Drones lack an established guideline for use
and an enforcement body does not yet exist. Pirated movies in China land seamlessly into the
black market sales pipeline with little effort to combat it. There are numerous examples of local
or regional crimes –forgery, fraud, counterfeiting, drug sales, and human trafficking—that have
become transnational crimes. The victim and the suspect might be on different continents.
Prosecution efforts are makeshift and flimsy, criminal complaints lack legal foundation, and
police investigative capabilities are diminished due to geographic hurdles. The power of the
globalized economy has unintended consequences; crime is among them.
General lack of clarity and ownership. When new security requirements surface, the
effective response can be hindered because of a lack of clarity and understanding of who should
own what initiatives. Reducing the supply of terrorist websites and propaganda on the Internet
aimed at recruiting isolated, disenfranchised, young people is an important strategy to reduce the
threat of homegrown violent extremism. Is that the responsibility of the federal government? Is
it the responsibility of local and state police? These and many other policy questions remain
unresolved. Private corporations manage or oversee most of the government’s critical
infrastructure assets. Examples are nuclear power plants, national defense facilities, agriculture
sites, utilities, and many more. Until the terrorist events of 9-11 happened, there was not a clear
structure in place to enable those entities to collaborate, share intelligence, or optimize mutual
resources. These types of partnerships have increased over the past decade but organizational
and communication blind spots still exist today. This needs retooling until substantive progress
can occur.
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 188
Stakeholder conflict. As discussed in the introduction, one of the essential elements of a
polycentric problem is that the problem is multilayered and multifaceted which dictates the need
for multiple stakeholders to be involved in designing and executing the appropriate response.
Contemporary security challenges will continue to necessitate engagement from multiple angles
and diverse perspectives. Like a traditional negotiation with multiple parties, not all of the
stakeholders have the same interests in mind. This conflict will hinder even the most well-
intentioned efforts. For example, the FBI director, the CEO of a non-profit, outreach director for
a synagogue, a local Sheriff in Las Vegas, and the security manager for aerospace corporation
may all agree that security is a priority but they might not see the same path in achieving that
goal. Law enforcement agencies are sometimes territorial. Religious and community groups
might not trust the police. There are legal and procedural limitations on what intelligence the
police can share with their private sector colleagues. India’s legal approach to digital piracy
might conflict with that of Canada’s. Each of these examples illustrate that seeking consensus,
building coalitions, and solving complex problems does not always occur under the most optimal
conditions. The complexity of such policy challenges demand a thoughtful, collaborative
approach. There is no reason to assume that stakeholder conflict can be resolved, so the response
strategy must acknowledge this barrier and work within those limitations.
Extreme global uncertainty. The unsteady nature of global risk will create
implementation hurdles. Rapid technological growth, emerging markets, geopolitical challenges,
globalization, transnational crime, and terrorism will create an era of unpredictability. Defining
risks will be subjective. This will lead to ambiguity about which security problems are truly
priorities. From a security and risk management perspective, the era will be forever marked as a
time of extreme uncertainty. This instability, in some cases, will be paralyzing for governments
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 189
to act, make corporations question their use of resources for security efforts, and cause
collective, societal anxiety. This condition, coupled with the dynamic growth of technology
around the world, could lead to indecisiveness on the part of policymakers and practitioners. If
security is indeed a zero-sum game, the future of many security protocols will likely be in
conflict with individual privacy.
Recommendations
Even in this time of global anxiety and concern surrounding safety, there are
recommendations that should be pursued deliberately. The standard in addressing risk is to
mitigate it, not eliminate it. For the security professional or the policymaker, although the
challenges are complex, there is clear reason for optimism and pursuing those solutions should
be considered a worthwhile endeavor.
Each key topic area covered in this project included a short list of recommendations.
Some of the recommendations are provided specifically for security professionals. Others are
directed toward policymakers. The list below provides a dedicated section for all of the
recommendations and the rationale for those choices.
Insider Threats
Education and Training Programs. When employees embrace the philosophy that
security and safety is everyone’s responsibility in the workplace, their awareness
becomes a force multiplier. Regularly scheduled training programs can raise awareness,
provide employees with the basic tools to make observations, and empower people to
come forward to report suspicious behaviors.
Data Analytics Software. There are software products available today that leverage
existing internal workplace data and algorithmic formulas to predict behavior.
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 190
Correlating data and behavior based on objective baselines can flag outliers and trigger
follow-up steps if justified. For example, an employee who works traditional business
hours for many years and abruptly starts coming to the office late at night or on the
weekend would be considered a notable outlier. Those statistical deviations would
trigger a notification to security or human resources for further follow-up.
Background Checks. Pre-employment background checks are an essential component of
insider threat risk mitigation. The assessment of past behavior is a strong predictor of
future performance. The higher the degree to which an organization understands their
applicants’ experiences, the better their odds of hiring top performers and those with high
ethical standards.
Digital Piracy
Computer-Level Controls. Organizations that manage large amounts of data or content
should conduct a comprehensive assessment of accessibility allowances. The objective
of the assessment is to determine how the protocols governing access to unreleased
footage or proprietary content are configured. Increasing restrictions and limitations of
access will mitigate risks associated with unintended disclosure. Confidential data should
be partitioned from those who have no business justification to view it.
Watermarking. Industry leaders generally concede that illegal reproduction and
distribution of protected content is an unfortunate reality. Although technology creates
more opportunities for unlawful activities, it can also be a valuable preventive tool.
Inserting a virtual fingerprint or barcode onto the content itself will reduce the
occurrences. Technologists should continue to pursue creative and innovative ideas to
“lock” protected content and reduce its unlawful distribution.
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 191
Collaboration. Content protection is a global policy challenge that requires a holistic
approach. To that end, coordination amongst a diverse set of stakeholders around the
world should be a fundamental effort of both practitioners and policymakers. While anti-
piracy legislation clearly has its limitations, the collective engagement of multiple entities
should be an essential strategy.
Online Radicalization
Reduce the Supply. Online intervention is the first important initiative. Law
enforcement should partner with Internet service providers (ISP) to identify propaganda
and extremist recruiting websites. There are limitations to this recommendation. The
unregulated nature and scale of the Internet make the discovery of these websites
challenging. For example, when one website is taken down by an ISP, another is
launched. Even so, efforts to curtail these recruiting efforts by reducing the supply is a
worthwhile effort.
Reduce the Demand. As effectively as terror groups have leveraged the Internet to reach
vulnerable young people around the world in hopes of converting them to freedom
fighters, efforts to reduce the demand through community engagement is the second
recommendation. Community engagement can take on two primary forms, online and in-
person. Online efforts use social media to promote positive community involvement,
encourage diversity and understanding, and seek to drive enthusiasm around peaceful
movements and causes. Direct engagement is best accomplished through the use of local
community leaders at the grass-roots level. Examples might include churches, clubs,
charities, and foundations that work closely to promote tolerance, open discourse, and
group engagement.
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 192
Countermessaging. In 2011, the White House announced a counter-radicalization
strategy to address the increasing number of cases in which terrorist groups were
recruiting US citizens (Greenberg, 2016). These efforts focus around online messaging
which emphasizes the realities of ISIS and al-Qaeda’s global activities. Some of the
messaging includes debunking ISIS claims, highlighting their history of violence, and
illuminating the realities of terrorism. Both the message and the messenger matter.
Spokespeople should include community leaders, Muslim immigrants, and reformed ISIS
sympathizers, not only government officials and police.
Cyber-Threats
Strengthen government network infrastructure. Public utilities and core community
services depend on networked systems for automation, monitoring, and trouble-shooting.
Whether it is the result of a terror attack, an accident, or mechanical failure, the
infrastructure can be vulnerable to failure or disruption. These networks enable essential
public services and support key infrastructure such as agricultural, electrical, nuclear,
aviation, and so on. Improving these systems through regular maintenance and
replacement programs is an important step for mitigating risks. In order for these efforts
to be effective in preventing attacks or disruptions, they must be proactive.
Increase public—private working groups. The private sector manages, oversees, or
secures many of the US Government’s critical infrastructure sectors. As a result, the
close coordination between the two groups is essential for preparation and planning.
Both sides need to embrace that coalition and look for opportunities to build alliances,
share information, and create mutually beneficial solutions toward risk mitigation.
Create IT recovery plans. Our key industries and nearly all organizations are critically
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 193
dependent on networks for daily operations. Most of the recent literature surrounding IT
security indicate that cyber-attacks will ultimately impact all organizations in some
capacity. If organizations of all types –private or public, small or large, profit or
nonprofit—acknowledge that they will be the target of a cyber-attack in some form, their
efforts cannot focus only on prevention but also on recovery and resumption.
Unmanned Aerial Vehicles
Certification. The safety risks of using drones in public space are high. Those who
operate them should be required to pass a written test and a practical exam akin to
acquiring a driver’s license. The certification process would provide the baseline
knowledge required to operate a drone so that general safety standards would be
implemented. Renewal standards should also be implemented.
Assign a regulatory agency. A government body like the FAA should regulate the use
of public drones. This entity would define safety standards and create recurring training
requirements. This approach would directly address concerns surrounding a drone
interfering or colliding with commercial or private aircraft. It might also develop a list of
prohibited use locations such as around government buildings, sports stadiums, and large
format venues due to the safety and security risks associated with such use.
Enforcement. The legal regulations defined by the regulatory body noted above should
be enforced by federal and local police authorities. This recommendation would add
credibility to the safety and security guidelines which govern drone use.
Research Limitations and Final Lessons
In researching security policy topics for this paper, it became clear that no all of them
could be addressed. Although quite different on its face, each of the essential topics could be
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 194
threaded together by a singular theme: emerging technology. Technology growth worldwide has
provided extraordinary social, economic, and political benefits. It has created new opportunities,
linked businesses around the world, and provided communication pathways that never existed.
Several important security topics were mentioned briefly throughout this paper but were
not covered in detail. Each is important in its own right and its impact on security policy over
the next years will be consequential. The dark web is a term that defines the collection of
websites which utilize the Internet but are hidden and require the use of unique software and are
secured through high-level encryption. As the use of the dark web for criminal purposes
provides a well-coordinated communication network that operates outside of government
oversight and circumvents police investigative options. The use of the dark web by terror groups
will grow over time. Ransomware is a term used to describe a particular network hack in which
the attacker holds information or files hostage in a virtual environment until a payment is made.
These attacks are becoming more common because they are effective and often times the
incidents are reported to the police. Cryptocurrency is a digital asset that operates as a virtual
medium of exchange, similar to money. Some countries have prohibited its use, others approved
it, and others have not ruled yet. There is an implication that cryptocurrency use is correlated to
global criminal activities. Its future remains unclear.
To say that the world of security and risk is fast-paced and dynamic is an understatement.
The evolution of risk over the past decade is probably more aptly considered a revolution. To
reflect back on some notable security incidents over the past two decades allows us to illuminate
some key lessons. The attacks of September 11, 2001 showed us how absolutely critical that
multi-agency collaboration and information sharing is in the pursuit of global terror groups and
preventing future attacks. Collaboration is at the core of many recommendations discussed
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 195
throughout the paper. The 2013 Boston Marathon bombing illustrated that, as a society, we are
vulnerable when we have large scale, spectator events. Furthermore, it is believed that the two
responsible, Tamerlan Tsarnaev and his brother Dzhokhar Tsarnaev, were at least partially
radicalized online. The use of the Internet for recruitment and coordination of terror attacks will
be a relevant security policy challenge for many years to come. The cyber attack against Sony in
2014 brought the company to its knees, derailed a movie release, and caused financial and
reputational damage to the company. The policy impact was broader and more far reaching than
Sony, though. It underscored the vulnerability of computer networks. If a movie studio could be
successfully attacked, what prevents a similar operation to hack into an airline’s internal
network?
Emerging technology is at the core of this new security environment. For example, the
Internet has paved expansive new roads of professional opportunity. The creative industries are
a notable illustration. With their strong dependence on technology for content creation,
production, and distribution they are an obvious beneficiary of this transformation. Other sectors
have also expanded and profited from new technological tools and assets. This growth has
unintended consequences. “The usage of new technologies doesn’t offer us only benefits, it also
comes with great cost” (Ciolan, 2014, pg. 120). This interconnectedness has allowed terror
groups to mobilize and recruit in mass, redefined the concept of transnational crime, made
rudimentary criminal schemes scalable across world regions, and provided a resilient market for
counterfeit commerce that, ironically, is often nearly as high quality as the authentic products.
As technology continues to evolve and transform the methods and means with which
people conduct themselves, security policy will remain conflicted, leaving many unresolved
questions ahead. The essential premise of this paper asserted that the polycentric nature of
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 196
contemporary security challenges demands an unprecedented commitment of multiple
stakeholders. Each of the policy challenges circles back to technology and how its introduction,
intervention, and disruption of security processes will continue to demand a highly sophisticated
response. Due to the complicated and dynamic nature of these security policies means that
translating knowledge into action should continue be a top priority of professionals and
policymakers. Effective strategies will involve multiple stakeholders, considerable change in the
way previously disparate groups work together, and truly innovative approaches. Effective
policies of the past will no longer be suitable for today’s requirements. Tomorrow’s challenges
are not yet known.
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 197
References
The 9/11 Commission Report: Final Report of the National Commission on Terrorist
Attacks Upon the United States (Authorized Ed.). (2004). W.W. Norton &
Company, New York.
Abrahamsen, Rita and Michael C. Williams (2009). Security Beyond the State: Global Security
Assemblages in International Politics, International Political Sociology, 3, pp. 1 – 17.
Adams, Josh and Roscigno, Vincent J. Social Forces. Vol. 84, No. 2 (Dec., 2005), pp. 759-778
Published by: Oxford University Press
Stable URL: http://www.jstor.org.libproxy.usc.edu/stable/3598477.
Ahmad, R., & Yunos, Z. (2012). A dynamic cyber terrorism framework. International Journal of
Computer Science and Information Security, 10(2), 149-158. Retrieved from
http://search.proquest.com/docview/1038456529?accountid=14749.
American Society of International Security (2005). Business Continuity Guidelines: A Practical
Approach for Emergency Preparedness, Crisis Management, and Disaster Recovery.
ASIS GDL BC 01 2005 Edition.
Anderson, K. (2007). Convergence: A holistic approach to risk management. Network
Security, 2007(5), 4-7. doi:10.1016/S1353-4858(07)70033-8.
Ang, Swee Hoon, Peng Sim Cheng, Elison A. C. Lim, Siok Kuan Tambyah (2001). Spot the
Difference: Consumer Responses Towards Counterfeits: Journal of Consumer
Marketing, Vol. 18, No. 3, pp. 219-235.
Ashenden, Debi (2008). Information Security Management: A Human Challenge? Information
Security Technical Report (13), 195-201. Retrieved March 26, 2011 from ABI/INFORM
Global. (Document ID: 821585222).
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 198
Bagchi, Kallol, Peeter Kirs, & Robert Cerveny (2006). Global Software Piracy: Can
Economic Factors Alone Explain the Trend: Communications of the ACM, June, Vol.
49, No. 6, pp. 70-75.
Bajc, Vida (2007). Introduction: Debating Surveillance in the Age of Security, American
Behavioral Scientist, 50, 12 (Aug., 2007), pp. 1567-1591.
Barry, T. (2013). Drones over homeland: Expansion of scope and lag in governance. The Brown
Journal of World Affairs, 19(2), 65-80. Retrieved from
http://search.proquest.com/docview/1649691379?accountid=14749.
Bendix, W., & Quirk, P. J. (2016). Introduction: Governing the security state. Journal of Policy
History, 28(3), 399-405. doi:10.1017/S0898030616000154.
Benekos, Peter J. and Alida V. Merlo (2006). Crime Control: Politics and Policy, 2
nd
Edition.
Matthew Bendor and Company, Inc.
Beresford, Annette D., Christian Desilets, Sandra Haantz, John Kane, and April Wall (2005).
Intellectual Property and White-Collar Crime: Reports of Issues, Trends,
and Problems for Future Research: Trends in Organized Crime, Vol. 8, No. 4
(Summer).
Berlet, C., & Vysotsky, S. (2006). Overview of the U.S. White Supremacist Groups. Journal of
Political and Military Sociology, 34(1), 11-0_8. Retrieved
fromhttp://search.proquest.com/docview/206662818?accountid=14749.
Bloom, Jeffrey A. and Cox, Ingemar J. (1999). Copy Protection for DVD Video.
Proceedings of the IEEE: July 1999, v. 87, n. 7, pp. 1267 – 1276.
Borison, Adam and Gregory Hamm (2010). How to Manage Risk (After Risk Management Has
Failed)? MIT Sloan Management Review, 52(1), Retrieved April 5, 2011 from Harvard
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 199
Business School (Reprint 52107).
Brooke, H. (2016). Inside the digital revolution. Journal of International Affairs, 70(1), 29.
Brooks, R. (2014). Drones and the international rule of law. Ethics & International
Affairs, 28(1), 83-103. doi:http://dx.doi.org/10.1017/S0892679414000070.
Bures, O. (2015;2014;). Political corporate social responsibility: Including high politics? Journal
of Business Ethics, 129(3), 689-703. doi:10.1007/s10551-014-2200-1.
Caputo, D.; Maloof, M.; Stephens, G.; "Detecting Insider Theft of Trade Secrets," Security &
Privacy, IEEE, vol.7, no.6, pp.14-21, Nov.-Dec. 2009 doi:
10.1109/MSP.2009.110URL:http://ieeexplore.ieee.org.libproxy.usc.edu/stamp/sta
mp.jsp?tp=&arnumber=52190&isnumber=5370689.
Caves, Richard E. (2000). Creative Industries: Contracts between Art and
Commerce. Harvard University Press, Cambridge, Massachusetts,
and London, England.
Chang, H., Kim, J., and Park, J., (2014). IT convergence security. Journal of Intelligence
Manufacturing, 25(2), 213-215. doi:10.1007/s10845-013-0741-2.
Chaudhry, Peggy E. and Michael G. Walsh (1996). An Assessment of the Impact
of Counterfeiting in International Markets: The Piracy Paradox Persists. The Columbia _
Journal of World Business (Fall, 1996), pp. 34-48.
Chaudhry, Peggy E. and Alan Zimmerman, et al. (2008). Preserving Intellectual
Property Rights: Managerial Insight into the Escalating Counterfeit Market
Quandary. Kelley School of Business, Indiana University, Business Horizons (2009),
52, pp. 57-66.
Chesbrough, Henry William, Wim Vanhaverbeke, & Joel West (2006). Open
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 200
Innovation: Researching a New Paradigm. Oxford University Press: UK.
Choi-Fitzpatrick, A. (2014). Drones for Good: Technological Innovation, Social Movements,
and the State. Journal of International Affairs, 68(1), 19-XI.Retrieved
from http://search.proquest.com/docview/1644459387?accountid=14749.
Christensen, T., Lægreid, P., & Rykkja, L. H. (2016). Organizing for crisis management:
Building governance capacity and legitimacy. Public Administration Review, 76(6), 887-
897. doi:10.1111/puar.12558.
Ciolan, Ionela M. (2014). Defining cybersecurity as the security issue of the twenty first century:
A Constructivist Approach. Revista De Administratie Publica Si Politici Sociale, 12(1),
40.
Coaffee, J., & Fussey, P. (2015). Constructing resilience through security and
surveillance: The politics, practices and tensions of security-driven resilience.
Security Dialogue, 46(1), 86-105. doi:10.1177/0967010614557884.
Cohen, Dara Kay, Mariano-Florentino Cuellar, and Barry R. Weingast (2006). Crisis
Bureaucracy: Homeland Security and the Political Design of Legal Mandates.
Stanford Law Review, v59, n3, pp673-759, Fall 2006.
Cole, Eric (2006). Insider Threat: Protecting Enterprise from Sabotage, Spying, and _
Theft. Syngress Press: Rockland, MA. (Chapter 8, pp. 295-327).
Collberg, C., & Thomborson, C. (1999). Software watermarking: Models and dynamic
embeddings. Paper presented at the 311-324. doi:10.1145/292540.292569.
Colwill, Carl. Human factors in information security: The insider threat –
Who can you trust these days? Information Security Technical Report, Volume
14, Issue 4, November 2009, Pages 186-196, ISSN 1363-4127,
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 201
10.1016/j.istr.2010.04.004 (http://www.sciencedirect.com/science/
article/pii/S1363412710000051).
Comfort, Louise K. (2002). Rethinking Security: Organizational Fragility in Extreme Events.
Public Administration Review, September 2002, v62, Special Issue, pp. 98-107.
Conti, M., Das, S. K., Bisdikian, C., Kumar, M., Ni, L. M., Passarella, A., Zambonelli,
F. (2011;2012). Looking ahead in pervasive computing: Challenges and opportunities
in the era of cyber-physical convergence. Pervasive and Mobile Computing, 8(1),
2.doi:10.1016/j.pmcj.2011.10.001.
Dean, M. D., Payne, D. M., & Landry, B. J. L. (2016). Data mining: An ethical baseline
for online privacy policies. Journal of Enterprise Information Management, 29(4), 482-
504. doi:10.1108/JEIM-04-2014-0040.
Desai, M. S., von der Embse, Thomas J, & Ofori-Brobbey, K. (2008). Information
technology and electronic information: An ethical dilemma. SAM Advanced
Management Journal, 73(3), 16.
Dowd, A. W. (2013). Drone wars: Risk and warnings. Parameters, 42/43(4), 7-16. Retrieved
from http://search.proquest.com/docview/1368613522?accountid=14749.
Dubey, N. K., & Kumar, S. (2014). A review of watermarking application in digital cinema for
piracy deterrence. Paper presented at the 626-630. doi:10.1109/CSNT.2014.131
Dunn Cavelty, M. (2014). Breaking the cyber-security dilemma: Aligning security needs
and removing vulnerabilities. Science and Engineering Ethics, 20(3), 701-715.
doi:10.1007/s11948-014-9551-y.
Egli, D. S. (2013). Beyond the storms: Strengthening preparedness, response, & resilience in the
21st century. Journal of Strategic Security, 6(2), 32-45. doi:10.5038/1944-0472.6.2.3.
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 202
Eller, Warren S. and Brian J. Gerber (2011). Contemplating the Role of Precision and Range
in Homeland Security Policy Analysis: A Response to Mueller. Policy Studies
Journal, Nov. 1, 2010, v38, pp. 23-39.
Fagundes, Paulo (2009). Fighting Internet Child Pornography – The Brazilian Experience, The
Police Chief, LXXVI, 9, pp. 49 – 55.
Fisher, William W. (2004). Promises to Keep: Technology, Law, and the Future
of Entertainment. Stanford University Press: Palo Alto, CA.
Fox, S. J. (2016). Flying challenges for the future: Aviation preparedness – in the face of cyber-
terrorism. Journal of Transportation Security, 9(3), 191-218. doi:10.1007/s12198-016
0174-1.
Gaines, Larry K. and Victor E. Kappeler (2005). Policing in America, 5
th
Edition. Anderson
Publishing.
Ganascia, J. (2011). The new ethical trilemma: Security, privacy and transparency.
Comptes Rendus - Physique, 12(7), 684-692. doi:10.1016/j.crhy.2011.07.002.
Geer, D. E. (2006). Convergency. IEEE Security & Privacy Magazine, 4(3), 88-88. Doi:
10.1109/MSP.2006.61.
George, Randy (2008, November). Security to Go. InformationWeek (1209), 33-38. Retrieved
March 6, 2011 from ABI/INFORM Global. (Document ID: 1635115491).
Gomes, J. F., Ahokangas, P., & Owusu, K. A. (2016). Business modeling facilitated cyber
preparedness. Paper presented at the, 7(4) 1-12. Retrieved from
http://libproxy.usc.edu/login?url=http://search.proquest.com.libproxy2.usc.edu/docview/1
799575982?accountid=14749.
Greenberg, K. J. (2016). Counter-radicalization via the internet. The ANNALS of the American
Academy of Political and Social Science, 668(1), 165-179.
doi:10.1177/0002716216672635.
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 203
Hayes, Bob, Kathleen Kotwica, & Marleah Blades (2008, April). The Forces of Change.
Security, 45(4), 32, 34, 36, 38, 40. Retrieved March 6, 2011, from ABI/INFORM Global.
(Document ID: 1470830091).
Hayes, B., Kotwica, K., & Lefler, R. (2011). Insider threats. Financial Executive, 27(5), 34-36.
Retrieved from http://search.proquest.com/docview/873625896?
accountid=14749.
Heatherly, M. C. (2014). Drones: The American Controversy. Journal of Strategic Security, 7(4),
25-37. doi:http://dx.doi.org/10.5038/1944-0472.7.4.3.
Hebeler Jr., John W. and Doris C. Van Doren (1997). Unfettered Leverage: The
Ascendancy of Knowledge-Rich Products and Processes. Business Horizons (July
– August 1997), pp. 1-10.
Heickerö, R. (2014). Cyber terrorism: Electronic jihad. Strategic Analysis, 38(4), 554-565.
doi:10.1080/09700161.2014.918435.
Hilbert, M. (2016). Big data for development: A review of promises and challenges.
Development Policy Review, 34(1), 135-174. doi:10.1111/dpr.12142.
Hill, Charles W. L. (2007). Digital Piracy: Causes, Consequences, and Strategic
Responses: Asia Pacific J Manage, Jan. 30, Vol. 24, pp. 9-25.
Hills, M., & Anjali, A. (2017). A human factors contribution to countering insider threats:
Practical prospects from a novel approach to warning and avoiding. Security Journal,
30(1), 142-152. doi:10.1057/sj.2015.36.
Hodgson, C. (2013, 04). Social media. The Licensing Journal, 33, 24-25. Retrieved from
http://search.proquest.com/docview/1355701142?accountid=14749.
Hoffmann, Leah (2009). Content Control. Communications of the ACM:
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 204
June 2009, v. 52 n. 6, pp. 16 – 17.
Holt, T. J., & Bolden, M. (2014). Technological skills of white supremacists in an online forum:
A qualitative examination. International Journal of Cyber Criminology, 8(2), 79.
Homeland Security: Further Actions Needed to Coordinate Federal Agencies’ Facility
Protection Efforts and Promote Key Practices. United States Government Accountability
Office Report to the Chairman, Committee on Government Reform, House of
Representatives, November 2004, GAO-05-49.
Intrilligator, Michael D. (2007). On “Transnational Terrorism” – Perspective Paper on The
Todd Sandler, Daniel G. Arce, and Walter Enders Paper for the 2008 Copenhagen
Consensus. Copenhagen Consensus Center, December 2007.
Irwin, A. S. M., & Milad, G. (2016). The use of crypto-currencies in funding violent jihad.
Journal of Money Laundering Control, 19(4), 407-425. doi:10.1108/JMLC-01-2016-000.
Jackman, M., & Lorde, T. (2014). Why buy when we can pirate? the role of intentions and
willingness to pay in predicting piracy behavior. International Journal of Social
Economics, 41(9), 801-819. doi:10.1108/IJSE-04-2013-0104.
Jackson, Brian A. (2007). Is America Prepared for Disaster? Rand Commentary, 2007.
Jajodia, Sushil (2004). Economics of Information Security. Kluwer Academic Publishers:
New York.
Janis, I. (1972). Victims of Groupthink: A Psychological Study of Foreign-Policy Decisions and
Fiascoes. Houghton Mifflin, Boston, MA.
Jenkins, Brian Michael (2006). Five Years After 9/11: True Grit, To Counter Terror, We Must
Conquer our Own Fear. Rand Review, Summer 2006.
Jenkins, Brian Michael (2008). A Better Deal: Counterterrorism, Wage a Sustainable
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 205
Campaign. Rand Review, Fall 2008.
Jenkins, Brian Michael and John Paul Godges (2011). Ten Years Later, a Moment for
Reflection. Rand Review, Retrieved Oct. 16, 2011 from www.rand.org/t/MG110.
Jones, A. (2006). The convergence of physical and electronic security. Computer Fraud
& Security, 2006(3), 12-14. doi:10.1016/S1361-3723(06)70321-9.
Jorgenson, S. (2014). Convergence of forensics, eDiscovery, Security, & Law. Ave Maria
Law Review, 12(2), 291.
Joyce, J. (2006). The reality of espionage. Communications News, 43(5), 38-38. Retrieved
from http://search.proquest.com/docview/202800170?accountid=14749.
Kaag, J., & Kreps, S. (2013). Drones and democratic peace. The Brown Journal of World
Affairs, 19(2), 97-109. Retrieved
from http://search.proquest.com/docview/1649691316?accountid=14749
Keegan, C. (2002). Cyber-terrorism risk. Financial Executive, 18(8), 35-37. Retrieved
from http://search.proquest.com/docview/208883953?accountid=14749.
Kinslow, J. (2006). Physical and IT security: The case for convergence. Journal of
Security Education, 2(1), 75-91. doi:10.1300/J460v02n01_06.
Kirkpatrick, S. A., PhD. (2008). Refining insider threat profiles. Security, 45(9), 56-63.
Retrieved from http://search.proquest.com/docview/197806775?accountid=1474.
Kulesza, J. (2013). International law challenges to location privacy protection.
International Data Privacy Law, 3(3), 158. doi:10.1093/idpl/ipt01.
Lehman, Bruce A. (1996). Intellectual Property: America’s Competitive Advantage in the 21
st
Century. The Columbia Journal of World Business (Spring 1996), pp. 7-16.
Lessig, Lawrence (2008). Remix: Making Art and Commerce Thrive in the
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 206
Hybrid Economy. Penguin Group Inc., New York, NY.
Li, F., & Yi, Z. (2017). Counterfeiting and piracy in supply chain management: Theoretical
studies. The Journal of Business & Industrial Marketing, 32(1), 98.
Light, Jennifer S. (2001). The Effects of Privatization on Public Services: A
Historical Approach, New Directions for Evaluation, 90 (Summer Edition),
pp. 1-39.
Lucchi, Nicola (2006). Digital Media & Intellectual Property: Management of Rights and _
Consumer Protection in a Comparative Analysis. Paperback
Edition, Springer Publishing.
Luiijf, E. (2014). Definitions of Cyber Terrorism. In Akhtar, B. (2014). Cybercrime and cyber
terrorism investigator's handbook (1st ed.). Amsterdam; Boston: Elsevier.
Lyncheski, John E, Esq, F.A.C.H.C.A. (2010). Social media in the workplace. Long-Term
Living, 59(10), 32-35. Retrieved from
http://search.proquest.com/docview/761339262?accountid=14749.
Marron, Donald B. and David G. Steel (2000). Which Countries Protect Intellectual
Property? The Case of Software Piracy: Economic Inquiry (ISSN 0095-2583),
Vol. 38, No. 2, April, pp. 159-174.
Martin, Gus (2011). Terrorism and Homeland Security. Sage Publications, Los Angeles.
McCalman, Phillip (2003). Foreign Direct Investment and Intellectual Property Rights:
Evidence from Hollywood’s Global Distribution of Movies and Videos. Journal of
International Economics, Elsevier Press (2004), 62, pp. 107-123.
McCourt, Mark (2011, January). 2011: Year of the OSAC. Security, 48(1), 10. Retrieved
March 6, 2011 from ABI/INFORM Global. (Document ID: 2245366421).
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 207
McDonald, Paul (2007). Video and DVD Industries. British Film Institute.
St. Edmundsbury Press, Bury St. Edmunds, Suffolk, UK.
McHendry, G. F. (2015). The re(d)active force of the transportation security administration.
Criticism, 57(2), 211-233. doi:10.13110/criticism.57.2.0211.
McLeish, C., & Nightingale, P. (2007). Biosecurity, bioterrorism and the governance of
Science: The increasing convergence of science and security policy. Research
Policy, 36(10), 1635-1654, doi:10.1016/j.respol.2007.10.003.
McLeod, Kembrew (2007). Freedom of Expression: Resistance and Repression
in the Age of Intellectual Property. University of Minnesota Press.
Menn, J., & Watkins, M. (2010). Stuxnet worm causes worldwide alarm. FT.Com, Retrieved
from http://search.proquest.com/docview/753663699?accountid=14749.
Mitchell, Ruth C., Rita Marcella, & Graeme Baxter (1999). Corporate Information Security
Management. New Library World, 100(1150), 213-227. Retrieved March 6, 2011, from
ABI/INFORM Global. (Document ID: 86926018).
Muller, M. (2012). Water management institutions for more resilient societies. Proceedings of
the Institution of Civil Engineers - Civil Engineering, 165(6), 33-39.
doi:10.1680/cien.11.00067.
Murphy, Kim (2011). 9/11: A Decade After, Is Homeland Security spending paying off.
Retrieved from www.latimes.com on Aug. 29, 2011.
Myyry, L., Siponen, M., Pahnila, S., Vartiainen, T., & Vance, A. (2009). What levels of
moral reasoning and values explain adherence to information security rules? an empirical
study. European Journal of Information Systems, 18(2), 126-139.
doi:10.1057/ejis.2009.10.
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 208
Nalla, M. K., Maxwell, S. R., & Mamayek, C. M. (2017). Legitimacy of private police in
developed, emerging, and transitional economies. European Journal of Crime, Criminal
Law and Criminal Justice, 25(1), 76-100. doi:10.1163/15718174-25012107.
National Research Council Staff (multiple authors) (2000). The Digital Dilemma: Intellectual
Property in the Information Age. National Academies Press, Washington DC (2000), i,
pp. 1-33.
Nill, Alexander and Clifford J. Shultz II (2009). Global Software Piracy: Trends and Strategic
Considerations. Kelley School of Business, Indiana University, Business Horizons
(2009), 52, pp. 289-298.
Noguchi, Yuko (2007). Freedom Override by Digital Rights Management
Technologies: Causes in Market Mechanisms and Possible Legal Options
to Keep a Better Balance. Intellectual Property Bulletin. HeinOnline
(2006 – 2007), Vol. 11:1, pp. 1-68.
Novakoff, R. (2015). Transnational organized crime: An insidious threat to U.S. national security
interests. Prism: A Journal of the Center for Complex Operations, 5(4), 134-149.
Retrieved from http://libproxy.usc.edu/login?url=
http://search.proquest.com.libproxy2.usc.edu/docview/1762303344?accountid=14749.
O'Hara, K., & Stevens, D. (2015). Echo chambers and online radicalism: Assessing the internet's
complicity in violent extremism. Policy & Internet, 7(4), 401-422. doi:10.1002/poi3.88
OECD (2012), Meeting the Water Reform Challenge, OECD Studies on Water, OECD
Publishing doi: 10.1787/9789264170001-en.
Ostergard, Robert L. (2002). Development Dilemma: The Political Economy of
Intellectual Property Rights in the International System. Scholarly
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 209
Publishing: New York, NY, USA.
Pahl-Wostl, Claudio. (2007). Transitions towards adaptive management of water facing climate
and global change. Water Resources Management, 21(1), 49-62. doi:10.1007/s11269-006-
9040-4.
Pahl-Wostl, Claudia, Gupta, Joyeeta, and Petry, Daniel. Global Governance, Vol. 14, No. 4,
Global Governance of Water: Trends, Processes, and Ideas for the Future (October–
December 2008), pp. 405-407.
Pappafotis, J. M., & Fischer, M. E. (2010). Brand Protection in the Social Media Frontier.
Maryland Bar Journal, 43(3), 4-10.
Pavone, V., & Esposti, S. D. (2012;2010;). Public assessment of new surveillance-
oriented security technologies: Beyond the trade-off between privacy and security. Public
Understanding of Science, 21(5), 556-572. doi:10.1177/0963662510376886.
Pedersen, C. (2014). Much ado about cyber-space: Cyber-terrorism and the reformation of the
cyber-security. Pepperdine Policy Review, 7(1), C1-C21. Retrieved
fromhttp://search.proquest.com/docview/1553752799?accountid=1474.
Peersman, C., Schulze, C., Rashid, A., Brennan, M., & Fischer, C. (2016). iCOP: Live forensics
to reveal previously unknown criminal media on P2P networks. Digital Investigation, 18,
50-64. doi:10.1016/j.diin.2016.07.002.
Peterman, David Randall (2004). Passenger Rail Security: Overview of Issues. CRS Report
for Congress, Congressional Research Service – The Library of Congress. Order Code
RL32625.
Pfleeger, Shari L., and Rachel Rue (2008). Cybersecurity Economic Issues: Clearing the Path to
Good Practice. IEEE Software, 25(1), 35. Retrieved March 6, 2011, from ABI/INFORM
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 210
Global. (Document ID: 1410645021).
Phelps, M. (2012, 11). Invasion of Drones. Flying, 139, 62-69. Retrieved
from http://search.proquest.com/docview/1287031644?accountid=14749.
Pislaru, C. (2017). physiognomy of new threats to global security. International Scientific
Conference "Strategies XXI", 1, 148.
Pliscoff, C. (2009). Police reform in times of collaboration. Washington: Wiley Subscription
Services. doi:10.1111/j.1540-6210.2008.01956.x.
Praneviciene, B. (2011). Limiting of the right to privacy in the context of protection of
national security. Jurisprudencia, 18(4).
Pratama, A., & Rafrastara, F. A. (2012). Computer worm classification. International Journal
of Computer Science and Information Security, 10(4), 21-24. Retrieved from
http://search.proquest.com/docview/1038461476?accountid=14749.
Predd, J.; Pfleeger, S.L.; Hunker, J.; Bulford, C.; , "Insiders Behaving Badly," Security &
Privacy, IEEE , vol.6, no.4, pp.66-70, July-Aug. 2008 / doi:10.1109/MSP.2008.87
URL:http://ieeexplore.ieee.org.libproxy.usc.edu/stamp/stamp.jsp?tp=&arnumber=458823
4&isnumber=4588217.
Ramirez, R., King, K., & Ding, L. (2016). Location! location! location! Data technologies and
the fourth amendment. Criminal Justice, 30(4), 19-25. Retrieved from
http://libproxy.usc.edu/login?url=http://search.proquest.com.libproxy1.usc.edu/docview/1
784178578?accountid=14749.
Rand Study Says New Approach to Estimating Terror Risk Can Help Better Target
Homeland Security Fund Allocation (2005). Rand News Release from Nov. 9, 2005.
Randol, B. M. (2012). The organizational correlates of terrorism response preparedness in local
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 211
police departments. Criminal Justice Policy Review, 23(3), 304-326.
doi:10.1177/0887403411400729.
Richardson, Louise (2006). What Terrorists Want: Understanding the Enemy,
Containing the Threat. Random House Trade Paperbacks, New York.
Riley, K. Jack (2011). Beyond the Shadow of 9/11: Air Passenger Security at a
Reasonably Cost. Rand Review, Summer 2011.
Roscini, M. (2015). Evidentiary issues in international disputes related to state responsibility for
cyber operations. Texas International Law Journal, 50(2), 233.
Sales, N. A. (2015). can technology prevent leaks? Journal of National Security Law & Policy,
8(1), 1.
Saltar, Michael (2014). Toys for the Boys? Drones, Pleasure and Popular Culture.
In the Militarization of Policing, Critical Criminology, 22(2), pp. 163-177.
Schofer, M. (2015). Human rights and national security post 9/11. Security and Human Rights,
26(2-4), 294-307. doi:10.1163/18750230-02602012.
Schultz, Eugene E. (2005). Security Views. Computers & Security (2005), 24, 589-598.
Schultz, Eugene E. (2007). Risks due to convergence of physical security systems and
information technology environments. Information Security Technical Report, 12(2), 80-
84. doi:10.1016/j.istr.2007.06.00.
Sewell, W. G. (2004). Protecting against cyber terrorism. Public Works, 135(3), 39-40,42-
43. Retrieved fromhttp://search.proquest.com/docview/218801889?accountid=14749.
Shultz II, Clifford J. and Bill Saporito (1996). Protecting Intellectual Property
Strategies and Recommendations to Deter Counterfeiting and Brand
Piracy in Global Market. The Columbia Journal of World Business (Spring,1996), pp.
18-28.
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 212
Shurer, Sonny (2015). Drones and Corporate Security, Part 2, AS Solution – Forward Thinking,
pp. 1-7.
Sigismondi, Paolo (2009). Hollywood Piracy in China: An Accidental Case of U.S.
Public Diplomacy in the Globalization A g e : Chinese Journal of Communication, Vol.
2, No. 3, November, pp. 273-287.
Southers, Erroll G. 1956- (Erroll Gregory). (2013;2014;). Homegrown violent extremism.
Amsterdam: Anderson Publishing.
Spilman, M. T. (2016). Takeaways from the Sony pictures entertainment hack. The
Entertainment and Sports Lawyer, 32(3), 20-28. Retrieved from
http://libproxy.usc.edu/login?url=http://search.proquest.com.libproxy2.usc.edu/docvi
ew/1812611192?accountid=14749.
Stackpole, Beth (2005, February). Secure Horizons. Electronic Business, 31(2), 20.
Retrieved March 6, 2011 from ABI/INFORM Global. (Document ID: 790463241).
Steele, S., & Wargo, C. (2007). An introduction to insider threat management. Information
Systems Security, 16(1), 23-33. Retrieved from
http://search.proquest.com/docview/229607002?accountid=14749.
Stoica, I. (2016). Transnational Organized Crime. An (Inter)national Security Perspective.
Journal of Defense Resources Management, 7(2), 13.
Stop corporate espionage before it hurts your organization. (2009). HR Focus, 86(6), 3-5.
Retrieved from http://search.proquest.com/docview/206805147?accountid=14749.
Sullivan, C. (2016). The Sony Hack and the Role of International Law. Journal of National
Security Law & Policy, 8(3), 1-27. Retrieved from
http://libproxy.usc.edu/login?url=http://search.proquest.com.libproxy1.usc.edu/docview/1
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 213
831706260?accountid=14749.
Syed (Shawon) M. Rahman, & Donahue, S. E. (2010). Convergence of corporate and
Information security. International Journal of Computer Science and Information
Security, 7(1), 63-68.
Taleb, N. N., Spitznagel, M. W., & Goldstein, D. G. (2009). The six mistakes executives make in
risk management. Boston: Harvard Business Review.
Urciuoli, L., Männistö, T., Hintsa, J., & Khan, T. (2013). Supply chain cyber security – potential
threats. Information & Security, 29(1), 51.
Veer, T., Berger, F., & Blind, K. (2016). The impact of product piracy on corporate IP strategy.
R&D Management, 46(S2), 631-652. doi:10.1111/radm.12149.
Verrier, Richard (2009). Sony’s ‘Cloudy’ Outlook. Los Angeles Times (Print Edition).
September 18, 2009 Edition, Section B3, pp. 1-3.
Verton, Dan (2003, July). Corporate security still lacks focus two years after 9/11.
Computerworld, 37 (29), 13. Retrieved March 6, 2011, from ABI, INFORM Global.
(Document ID: 375742261).
Vijayan, Jaikumar (2005, April). Strategic Security. Computerworld, 39(15), 48.
Retrieved March 6, 2011 from ABI/INFORM Global. (Document ID: 821585341).
Vogel, R. J. (2013). Droning on: Controversy surrounding drone warfare is not really about
drones. The Brown Journal of World Affairs, 19(2), 112-122. Retrieved from
http://search.proquest.com/docview/1649691585?accountid=14749.
Wakefield, Allison (2008). Private Policing: A View from the Mall. Public Administration, 86,
3, pp. 659 – 678.
Walaski, P. (2013). Social media. Professional Safety, 58(4), 40-49. Retrieved from
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 214
http://search.proquest.com/docview/1331594111?accountid=14749.
Walsh-Grant, R. (2013). Be clear about workplace social media rules. Farmers Weekly,
160(13), 24-25. Retrieved from
http://search.proquest.com/docview/1450250458?accountid=14749.
Walters, R. (2010). Managing risk through the integration of physical and logical security.
Biometric Technology Today, 2010(7), 6-8. doi:10.1016/S0969-4765(10)70144-2.
Wang, Shujen (2003). Recontextualizing Copyright: Piracy, Hollywood, the State, and
Globalization: Cinema Journal, Vol. 43, No. 1 (Autumn, 2003), pp. 25-43.
Warf, B., & Fekete, E. (2016). Relational geographies of cyberterrorism and cyberwar. Space
and Polity, 20(2), 143-157. doi:10.1080/13562576.2015.1112113.
Warkentin, M., & Willison, R. (2009). Behavioral and policy issues in information systems
security: The insider threat. European Journal of Information Systems, 18(2), 101-105.
doi: 10.1057/ejis.2009.12.
Warren, M. (2015). Modern IP theft and the insider threat. Computer Fraud & Security, 2015(6),
5-10. doi:10.1016/S1361-3723(15)30056-7.
Wasko-Owsiejczuk, E. (2015). National security letters - A controversial FBI tool to fight
terrorism. Internal Security, 7(2), 71-89.
doi:http://dx.doi.org.libproxy1.usc.edu/10.5604/20805268.1212113.
Waterman, David, Sung Wook Ji, Laura R. Rochet (2007). Enforcement and Control
of Piracy, Copying, and Sharing in the Movie Industry: Springer Science and
Social Media, Vol. 30, pp. 255-289.
Williams, Patricia A.H. In a ‘trusting’ environment, everyone is responsible for information
security, Information Security Technical Report,
EMERGING TECHNOLOGY AND ITS IMPACT ON SECURITY POLICY 215
Volume 13, Issue 4, November 2008, Pages 207-215, ISSN 1363-4127,
10.1016/j.istr.2008.10.009.
Wilson, B. (2004). Why convergence? Security Technology & Design, 14(12), 39.
Winterfeldt, B. J. (2012). Building your brand through social media. Computer and
Internet Lawyer, 29(2), 22-31. Retrieved
fromhttp://search.proquest.com/docview/918827811?accountid=14749.
Xhelili, B., & Crowne, E. A. (2012). Privacy & terrorism review - where have we come in 10
years? Journal of International Commercial Law and Technology, 7(2), 121.
Yang, D., & Fryxell, G. E. (2009). Brand positioning and anti-counterfeiting
effectiveness: A study of managers' perceptions of foreign brands in china. Management
International Review, 49(6), 759-779. Retrieved from
http://search.proquest.com/docview/89161876?accountid=14749.
Yar, Majid (2005). The Global ‘Epidemic’ of Movie ‘Piracy’: Crime-wave or Social
Construction: Media, Culture & Society, Vol. 27, pp. 677-696.
Zalud, B. (1996). Economic espionage plots loom. Security, 33(8), 14-14. Retrieved from
http://search.proquest.com/docview/197728215?accountid=14749.
Zedner, Lucia (2002). The Concept of Security: An Agenda for Comparative Analysis, Legal
Studies, 1, pp. 153 – 176.
Abstract (if available)
Abstract
For a number of reasons, concerns surrounding security and safety have intensified. Contributing to such increased visibility and awareness are factors such as global terrorism, civil unrest in multiple locations around the world, and increasing examples of violent attacks both domestic and abroad. We are living in a transformative era of security policy and risk analysis. The common thread fueling this transformation is emerging technology. Technological growth has been rapid, risks are dynamic, and responses to this new condition are predominantly reactive instead of proactive. An increasingly interconnected world from a social, political, and economic perspective has created unintended consequences. New tools developed for growth and development are creating dangerous vulnerability. Emerging technology has created expansive opportunities for growth and innovation while simultaneously creating opportunities for malicious or illegal activities directly associated with that growth. Crimes which leverage new technology are more complicated, more nuanced, and more challenging. Indeed, many of today’s crimes are not new but technology has forced us to rethink our approach. Traditional policies to reduce transnational crime, to manage global risk, and to instill a sense of safety and security are no longer adequate, some obsolete. Proposed solutions involve the convergence of information and physical security domains, leveraging the most advanced big data analytics, and cultivating organizational networks. Technology is paradoxically creating new opportunities for criminal activity and simultaneous being used monitor citizens for crime prevention. Given this transformation, the thoughtful balancing of security and privacy will be instrumental as surveillance, tracking, and monitoring could jeopardize individual security, albeit with the best of intentions for collective safety in society.
Linked assets
University of Southern California Dissertations and Theses
Conceptually similar
PDF
Cryptographic currency and economic security: threats, opportunities, and regulatory challenges
PDF
Water security, national security and MCIWest: a grounded theory for operationalizing risk management
PDF
Homegrown violent extremism: designing a community-based model to reduce the risk of recruitment and radicalization
PDF
Gangs beyond borders: California and the fight against transnational crime - have recommendations become reality?
PDF
Emerging catastrophes in slums of the developing world: considerations for policy makers
PDF
A robust model for disaster risk and decision analysis
PDF
Green healthcare, an environmentally sustainable methodology: an investigation of the ecological impacts of the healthcare industry and the role of green initiatives in sustainable medical services
PDF
The use of mobile technology and mobile applications as the next paradigm in development: can it be a game-changer in development for women in rural Afghanistan?
PDF
A learning model of policy implementation: implementing technology in response to policy requirements
PDF
Workplace conflict and employment retaliation in law enforcement; an examination of the causes, effects and viable solutions
PDF
Elements of a successful multi-sectoral collaborative from a local government perspective: a framework for collaborative governance – dimensions shared by award winning multi-sectoral partnerships
PDF
The context of leadership in the development of California’s innovation hubs
PDF
Using innovative field model and competency-based student learning outcomes to level the playing field in social work distance learning education
PDF
China-Africa cooperation: an assessment through the lens of China’s development experience
PDF
Critical factors in evaluating compliance to United Nations Security Council Resolution 1540: developing a methodology for compliance evaluation
PDF
Community development agreements: addressing inequality through urban development projects
PDF
Individual differences in trust development: Assessing the effects of trustor attributes on trust building, stability, and dissolution
PDF
Older adult community service worker program for Riverside County: community-based solutions for social service delivery
PDF
Case studies for real estate valuation
PDF
A framework for evaluating urban policy and its impact on social determinants of health (SDoH)
Asset Metadata
Creator
Bogaard, Matthew
(author)
Core Title
Emerging technology and its impact on security policy
School
School of Policy, Planning and Development
Degree
Doctor of Policy, Planning & Development
Degree Program
Policy, Planning, and Development
Publication Date
07/08/2018
Defense Date
05/03/2017
Publisher
University of Southern California
(original),
University of Southern California. Libraries
(digital)
Tag
Computers,Globalization,OAI-PMH Harvest,risk,security, policy,Technology,terrorism
Language
English
Contributor
Electronically uploaded by the author
(provenance)
Advisor
Robertson, Peter (
committee chair
), Morgan, Donald (
committee member
), Southers, Erroll (
committee member
)
Creator Email
bogaard@usc.edu,matthewbogaard@gmail.com
Permanent Link (DOI)
https://doi.org/10.25549/usctheses-c40-394385
Unique identifier
UC11263815
Identifier
etd-BogaardMat-5491.pdf (filename),usctheses-c40-394385 (legacy record id)
Legacy Identifier
etd-BogaardMat-5491.pdf
Dmrecord
394385
Document Type
Project
Rights
Bogaard, Matthew
Type
texts
Source
University of Southern California
(contributing entity),
University of Southern California Dissertations and Theses
(collection)
Access Conditions
The author retains rights to his/her dissertation, thesis or other graduate work according to U.S. copyright law. Electronic access is being provided by the USC Libraries in agreement with the a...
Repository Name
University of Southern California Digital Library
Repository Location
USC Digital Library, University of Southern California, University Park Campus MC 2810, 3434 South Grand Avenue, 2nd Floor, Los Angeles, California 90089-2810, USA
Tags
risk
security, policy