Emil Sayegh, president and CEO of Ntirety, unpacks the issue of inauthentic identities opening doors to untraceable, fake social accounts and the impact that it has on society. Emil is a cloud visionary and is known as one of the "fathers of OpenStack."
In the latest episode of the Tripwire Cybersecurity podcast, Tim Erlin had the opportunity to speak with Emil Sayegh, president and CEO of Ntirety. Emil is a cloud visionary and one of the fathers of OpenStack.
Tim Erlin: Before we dive into the details, can you frame-up the problem for the audience?
Emil Sayegh: Absolutely, and thank you so much for having me here. It's an honor. There are multiple instances where lack of authenticity has driven a frenzy out there. That could be cybersecurity threats in the enterprise, or it could be in things that are very popular like the GameStop stock event from earlier this year. We saw a frenzy of basically bots in social media that were driving hype around a certain aspect of a financial vehicle. This has also allegedly happened during the last two elections cycles. There's continued threats of these anonymous bots and anonymous personas out there, driving effects that are potentially not real.
TE: Yeah. I think there are a couple of layers of problem there. We're talking about accounts for different platforms, and there's the need to determine that behind that account is a real person. That real person obviously has an identity, so there's also the potential that the account is anonymous. If you can't verify who the person is behind that account, that would be the anonymity aspect of it. Does that make sense?
ES: Absolutely. I think that's a great grounding. There's really not a major problem with anonymity when you need to keep your identity secret. There is only a problem when you're creating multiple identities anonymously to drive a false narrative.
TE: Is the problem that a single person or a single entity is able to multiply their influence by creating multiple identities, whether they're bots, or a single person creating multiple personas?
ES: Whenever you're in a conversation online, you don't know who's behind that account. Is it a bot, or is it a real person? Is it one person with multiple accounts that are ganging up on you? The same thing happens with product and business reviews. There's a plethora of these services for hire that will crank up reviews for a product. A lot of those things are driven by bot activity and, in some cases, insincere users of the platforms.
TE: I wanted to touch on some of the consequences of these inauthentic identities, broadly speaking. What are the impacts and negative outcomes of this problem?
ES: It ranges from market manipulation, as we saw with GameStop, to cybercriminal activity, fraud, and economic and political influence in the case of the elections. It all goes down to narrative shaping.
TE: Yeah, that ability to provide an outsized level of influence. As we talk through it, it's a big problem. It extends to impacting the economy and the political climate, as well.
ES: Absolutely. This is an existential threat to the authenticity of the discourse in social media because you don't know whether you're talking to a real person, if you're being up-voted or down-voted by real people, or if a single person with multiple identities is attempting to shape the narrative. That's the risk.
The appeal to me is to figure that out before it gets further out of hand. The technology exists to limit this problem. We just need the will, and the construct, and the proper governance to ensure that we're verifying one user per identity. If that identity is anonymous, it's no big deal. Certain platforms like Reddit will have more anonymous identities than other, more open platforms. But at some point, we have to fix that problem.
TE: The idea there is that, for a given platform, I should be able to only really have one identity on that platform, not multiple identities. Is that right?
ES: Potentially, yes. Maybe a business persona and a personal persona, if that platform is open for that. Twitter, as an example, is used for both. Facebook is used for both. So, you could have two personas. LinkedIn is a business, a professional construct, and they do a very good job of controlling personas. There, you would have only one.
TE: Over the last five or more years, we have seen the growth of many providers such as Google, Facebook, and Apple becoming identity providers. From the viewpoint of impact, do they continue in this scenario? Is it their job to validate that there's a real person behind those identities, or do you imagine a different type of governance being involved?
ES: As long as it's done consistently across platforms, that would be fine. The platform that can figure that out first would be a major winner because you would know that your conversations online are authentic, that you are talking to a real person. I think that it's going to improve the conversation and make people more accountable. I think you're going to see a reduction in “fake news” and a reduction in the incendiary rhetoric because people will be accountable.
To essentially create the limit on the number of personas you can have online, it can be tied to some other means. For example, dual-factor authentication verifying that an identity is tied it to a phone number.
TE: Do you see the adoption of multi-factor authentication as ultimately a way to drive this type of solution?
ES: Absolutely! That should be the push for all of us in the cybersecurity world. This is a “must” for corporate entities. It's also a “must” in our consumer-oriented communication. Anybody who lacks a strategy to implement that is at a big cybersecurity disadvantage.
TE: So far, we've seen identity providers who encourage multi-factor authentication but don't require it because that would cut off a section of users on the corporate side. What do you think creates the tipping point for a consumer identity provider to shift from discretionary to mandatory multi-factor authentication?
ES: I agree that this is where we're going to end up going because of the security threats and especially when an identity gets stolen. Many of these platforms have liability because they may have payment information stored for that individual. The provider can say, “We're not going to indemnify you if your identity gets stolen unless you have multi-factor authentication enabled” just to drive the acceptance there.
TE: You mentioned that there's nothing wrong with anonymity but that we need to tie the online identity to a real person. Why is being anonymous online acceptable or necessary?
ES: On Reddit, for example, there's a lot of in-depth information that requires anonymity such as the cases of whistleblowers. We must protect that so there's a culture of free speech, especially in United States. That’s an important aspect of protecting anonymity. We just don't want one user to have 20,000 personas like in the case of bots that drive site traffic.
TE: Right. A previous guest talked about protecting victims of domestic abuse and online identities as well as how to manage them in those situations. That's another example where someone might need to actually ensure that they're anonymous and also change their identity so that they're untraceable through their previous identity. There are definitely use cases where anonymity is important. That ability to tie back to a real person is a sizeable challenge. We also have to assume that outside of corporate, on the consumer side, there's many abandoned identities that aren't being used but that provide targets for attackers in some way.
ES: Absolutely. That's a major risk factor.
TE: Is there a role for government oversight in solving this problem, or is it really a problem for industry to solve on its own?
ES: I'd like to see industry solve it on its own. The issue, though, is that some of the social media players out there benefit from this frenzy. But that is short-sighted because many of the complaints on the online forums are about traffic-shaping bots. People are very conscious of the situation.
TE: Long-term, there's the economic win for these platforms in dealing with this problem because ultimately people will leave those platforms if they aren't sufficiently authentic.
ES: Absolutely. This is not something that is just an economic issue. It’s also a matter of national security. There are verified cyber criminals associated with terrorist organizations and foreign groups that are trying to manipulate the market this way. Unless the industry figures it out, the government is going to step in. My wish is for us to get together and figure it out before then.
TE: It's a really interesting challenge, and this is of course a global problem. What jumps to mind for me is the example of GDPR. The United States essentially didn't see consumer privacy and control over consumer data as a big problem, but the EU felt it was a big enough problem. GDPR has definitely influenced the way that people do business with the European Union. That's an example where another government stepped in.
ES: You absolutely nailed it. That's the point of this, right? This is a global economy, and unless we figure it out as industry leaders, one of those governments will step in, and then we will have to react just like we did with GDPR.
TE: Absolutely. I often find with these podcast conversations that we actually answer a bunch of questions about a problem and came up with questions that still need to be answered, which is not necessarily a bad place to be.
ES: Yeah. We need to have security, authenticity, and privacy all kind of start from the ground up. My plea is for everybody that's building new software today is to start with that at the ground level. Let's figure that out before we go too far with developing some of the other features.
TE: I think we'll end with your plea there. Thank you so much, Emil, for spending time with us. It was a really interesting conversation.
ES: Absolutely. Thank you for your time and for inviting me.