In this episode of Modern Cyber, Jeremy sits down with Wes Kussmaul, founder and CEO of the Authenticity Institute, to discuss the evolving landscape of digital identity and accountability.
Alright. Welcome back to another episode of the Modern Cyber Podcast. We've got a really interesting conversation queued up for today, and I'm joined by somebody with a long and distinguished career and background in the cybersecurity space across a range of spaces. I am joined today by Wes Kussmaul, the founder and CEO of the Authenticity Institute, builders of a unique PKI certification authority. The Authenticity Institute or infrastructure, sorry, provides digital identity certificates as opposed to other PKI platforms which tend to focus on-site certificates or other object certificates like server certificates.
We're gonna talk about that. Wes is also highly rated on the 2023 thinkers 360 list of the top 50 global thought leaders on cybersecurity. Wes, previously in his career, created the world's first online encyclopedia, which morphed into the Delphi social network later acquired by Rupert Murdoch's News America Corporation. Wes is also an author having published quiet enjoyment about solving social media accountability. And Wes also worked with the ITU in their headquarters, I understand, chartering something called the city of Osmo.
And if time permits, we'll try to get into that as well. Wes, thank you so much for taking the time to join us today. Sure, Remy. It's my pleasure to join you. Awesome.
Let's start the conversation with something that you said kind of before we started rolling on our recording today, which is that, you know, you want to fix our digital world. How do you think about that problem? Maybe what's broken? Where do we even start? Sure.
Happy to. So as I mentioned, the Internet used to be characterized as an information highway. So let's think about what that means because the name still fits. What is an information high what is a highway? Isn't it an outdoor public transport system?
So if we're using the information highway, if the web is kinda like the finish layers on the highway, the signage and the striping, what are we doing? We're we're living, working, and letting our kids hang out by the side of the information highway. What would we do if we found ourselves in that situation in the physical world? If we found our ourselves, working and and socializing and letting our kids hang up by the side of a roadway, and that's all there is. Wouldn't we particularly wouldn't we go looking for an indoor space, a building?
Right. Because, you know, while the outdoors is a certainly an enjoyable space to spend time in, it's utterly lacking in the one thing that buildings are designed to provide. The main thing that buildings are designed to provide, which is spaces of accountability. You tend to know who's in a room with you. So where are the buildings?
Where are the digital buildings? We've learned over centuries how to build habitable spaces. We've learned over centuries how to live a life, that, combines time in in the outdoors and time in these accountability spaces called buildings. So where are the buildings? And the answer is, well, they don't exist because, we've built our information infrastructure on outdoor assumptions.
Meanwhile, this there's this wonderful building, wonderful construction material with which buildings can be built. It's known by a number of names, PKI, PKC, asymmetric cryptography. We use it every day, when we go to websites that start with HTTPS. Blockchain is built on asymmetric cryptography, but it's it's deployed with, well, it's deployed in bits and pieces. You don't find complete PKI built structures, where identity certificates digital identity certificates are, are the heart of it.
And and this is this is the key to building accountability spaces called buildings. The issue the challenge is the fact that along with these outdoor spaces, we have built an ecosystem. We call it Sylvandia, Silicon Valley plus the broadband and media, industries, plus their, you know, their their feeders in in other parts of industry. And the problem is those the business models, the revenue models of those outdoor industries is built on helping themselves to your personal information. If you build things out of identity certificates, that means that you you've got the means to put people in control of the use of information about themselves, which is a good thing for everyone except Celebadia, except for the companies that make their money exploiting your personal information.
So that's the challenge. You're not particularly friendly to the idea of putting you in control of the use of information about yourself. But that I see that as more of a data problem than of a certificate problem. Oh, it is a data problem. Absolutely.
And if if your if data about yourself is in a controlled, PKI information vault inside of your PKI home digital home, and your personal information is is, using the legal tools available, is made into your personal intellectual property. If someone wants to use your personal intellectual property, they they need either an explicit or implicit NDA Mhmm. And a license. So if you wanna know my name, address, you know, the number of miles I drive per year, ask me for a license. And Okay.
You know, it sounds cumbersome, but once it gets rolling, it's like the rest of technology. It starts out cumbersome because it's different, but people get used to it, and we get robots that handle these things for us. But just to make sure I'm understanding you, in this analogy, the license is kind of like a certificate that certifies that I am who I say I am, or or where does that kind of fit? Well, that's separate. Your identity certificate is Okay.
Attests to your identity claim, and they and it's accompanied by a measure of its own reliability. But separate from that is a purely legal thing. It's not even a piece of technology. It's a license. If I Okay.
If I verbally say to you right now, I I license you to know the address where I'm sitting right now, that's it. It's it's there's there's no technology involved whatsoever. It's it's a it's a legal artifact. Okay. And so along those lines, if we think about kind of the data problem and the organizations that are kind of collecting the data and using that as the basis for kind of allowing us or or disallowing us access to, let's say, like, you know, their services, which I don't know, maybe that kind of equates to the buildings that you talk about in your in your analogy.
What is it then you know, GDPR is supposed to solve a lot of this from the standpoint of organizations have to be accountable for telling me as I sign up for the service, what data they're collecting, for what purpose, and then they have accountability for me being able to go ask them, show me all the places that my data has been used, and also being able to say, well, I did I decline to allow you to continue to use my data, and in fact, I request deletion of my data. You know, that seems to me to provide a level of accountability to those organizations. Do you see it differently? Absolutely. How much time do people how much time do people spend exercising their rights under GDPR?
How many people make, a part time career of chasing down users of their personal information? That's that's it needs to be a a a built in system. It means by default, you don't have access to my information. You must come to me and ask for access to my information. Let me give you an example.
Okay? Okay. Let's say you've got all your personal information inside of we call it an MOI, my own information. It's our name for your personal information vault. PKI information vault.
Everything about you is in there. You have it it's it's like one of these classified information file cabinets that governments use. Top drawer is, structured information, which is basically built on, the w three c solid. It is w three c solid. Middle drawer is for unstructured information.
So, videos and images and resumes and that sort of thing. And the bottom drawer is for information that you may you happen to have in your possession, but you but but you don't have title to. So in other words, work files and things like that. So, let's say that, you realize one fine day that your car needs tires. Mhmm.
You, up until that moment, have been utterly uninterested in tire ads. Right? Marketers selling, you know, the latest Michelin or Pirellis or whatever. Now all of a sudden, you wanna know all about tires. So Okay.
There's this, what we call a sphere, called tire vendors, and you license this sphere. Anyone who's legitimately in that sphere called tire vendors, to know the make and model of your car, even the vehicle VIN, vehicle identity number, the number of miles you drive, all sorts of pertinent pertinent information, about, you know, your preferences for, you know, whatever you know about tires. Okay. And so you get, lots of information in your inbox. It says you've declared yourself.
Not not they they haven't fished around trying to find people who might need tires. You have declared yourself, here I am. I'm a customer. I'm about to buy 4 tires. Isn't that the holy grail of of tire marketers?
Right? So Mhmm. But as soon as I make that choice, I make the commitment to buy the tires, I revoke that license. I I I have licensed that sphere to know these things about me, particular fields of information, and then I revoke that license. You might say that, you you know, your close family members are entitled to other sets of information.
You've like, a sphere called friends or close friends. Sure. Not so close friends, my drinking buddies. Yep. Yep.
And, you know, Twitter, you know, might be a, a relying party that you might license. So you identify the the the relying party, and they and you have an implicit NDA, and you have automated licensing. So you've told your told your robot, here are the kinds of people who get to know what about me. Okay. And then but what's the problem with this?
Because, you know, if I revoke that and if I revoke the license to that data at that time and all the people participating in the sphere are following the rules as they should be. And I know that's a big if and a big assumption. Right? But assuming that they are, let's say, compliant with the rules of the sphere, you know, I've I've done the revocation. My data is no longer shared.
It may not it shouldn't be shared out outside of that sphere anymore. You know, I've I've been in control of my data through the steps of that process. Where do you see the problems, or where do you see the lack of accountability in that chain? Well, since your licensing of your information carries with it, the the, requirement that is only used only to be used for the purposes in the license. And if it's used for any other purpose, if you're, you know, you put a little, breadcrumb in your information and it shows up elsewhere, you know that, let's say, one of those tire vendors has gone and misappropriated your information and used it for purposes outside the license, then, you know, you can take legal action against them.
I your earlier question about about revocation, yeah, I mean, if you revoke the license, revoke a license to a, you know, a a sphere a group of entities or a particular entity, yeah, they no longer have, access to it. I might also add that this does away with medical forms, insurance forms, or much of those forms because you're going to license any legitimate health care provider to know certain things about to share medical records Right. EHR, records. Your insurance company no longer you don't have to keep you know, if you move, things change in your circumstances, now all of a sudden you're shuffling paperwork. No.
They everyone has everyone who needs to know your address, your current address, has that information. They have that information under license. If you move, you change your address once. And if you change your phone number, change it once. Anyone's entitled to know your phone number, now has the updated information.
You never have to deal with, you know, with that part of administrivia again. Yeah. Yeah. I mean, unfortunately, that's not really the world that we live in. And, you know, when I ask new world.
Jeremy, this is let's let's let's, let's step back a little bit. You know? Microsoft Azure is is collapsing today. Yep. Why?
Because software supply chains are the components of software supply chains are digitally signed by who? We don't know. You know? A department. What does it mean for a department of a company to sign something?
You know? This is what happened to the the auditing profession at CPAs. You know? In the middle of 20th century, Arthur Andersen stopped being this person, Arthur Andersen, signing personally, saying, I, Art Andersen, take responsibility for these financial statements. Suddenly, Arthur Andersen became Arthur Andersen LLP, and I don't mean just that one firm.
I mean, the accounting profession went from being individual accountability to, group accountability. You know? Who signs the, the signature at the bottom of the the financial statement? You know? PWC, you know, does everybody take a, sign a little bit of the signature?
This is what has gone wrong with our information infrastructure, and I you know? And and certainly, the accounting profession was a harbinger of problems to come when you when you do away with personal human individual accountability. Yeah. If Microsoft Azure if every bit of the code used in it in CrowdStrike had been digitally signed by an accountable human being, then it wouldn't have happened because whoever's got on the hook for problems would be immediately known, and there goes their career. Well, but I think that might be the case.
Right? And if I think about, you know, like, say this this current example with CrowdStrike, you know, so a build got released, got shipped out to customers. In that build was a faulty file. So that faulty file, there is somebody who pushed that faulty file into the build, and that person's identity should be captured through the, through the deployment process. Right?
You know, somebody checked in that code. There's a code repository. It certainly should. It should. But but, you know, is that the case?
And is that the case with the thousands of pieces of of code that went into that? And the answer is no. So, Jeremy, both you and I right now are sitting in indoor spaces, and you know there's something that works so well that we tend not to pay attention to it. It's called the occupancy permit. What is an occupancy permit?
It means that your indoor space is habitable. And what if there's a problem with that habitability? What if happens if if, you know, cracks develop or, you know, the the the it turns out that the habitability is compromised. There is an individual who has signed or actually 3 individuals, sometimes 4, for the issuance of that occupancy permit. There's the architect.
There's contractor. There's a building inspector. All 3 of them are professionally licensed. They can lose their livelihood if they are sloppy. Often, there's also a structural engineer involved if it's a bigger building.
Yeah. And they every time they sign that sign for the issuance of that occupancy permit, in their head is the fact that, you know, let me double check. Let me think through. Let me make sure that I haven't made any major mistakes here. Because if I have, you know, yeah, there's always something that could have been done better.
But if I made a a major screw up, I'm gonna have to go flipping hamburgers for the rest of my life because I will no longer be able to practice as an architect. We should bring that method, that procedure. And and the wonderful thing about in digit digital space, we have digital signatures, PKI digital signatures. So it's no longer a matter of a wet signature on a piece of paper. It's something that can be checked by anyone from anywhere.
Yeah. But along those lines, let me ask a question. You know, let's say that this is not malicious in any way. Let's say that this is human error. Right?
Yes. It is. And it seems likely. Right? Yeah.
I'm I'm I'm convinced that it was that it there was no hacking going on. Exactly. So somebody made a mistake. They pushed something into a build. And, again, I do think probably there is traceability in place that will allow them to identify, you know, which individual person made the mistake.
And how do you revoke the license? How do you revoke the license? How do you put the fear of license revocation into that? Well, I mean, the simplest answer is most people are gonna lose their job over a mistake like this. And they go get another job.
System wide. Yeah. Sure. Right. Okay.
So your your point is that, you know, this error should stay with the individual on a personal accountability level for Professional licensing works. If you if you're a surgeon and you screw up badly, you can lose your right to practice surgery. Understood. But if you think about this in the digital world in terms of, let's say, like software, there's software engineering. Many most of the time is at least I know I can't speak on behalf of everybody.
Many organizations, they're doing things for the first time. It's not like this is software that has been written many times, and so you could test somebody on their ability to recreate that software. You've got people creating and inventing things new for the first time. How do you license them for that if, you know, you you can take a coding standard minimum. You could even take a coding security standard minimum.
But when you're breaking into new spaces, I don't know that you can kind of assign a level of accountability that says, oh, you're just not good enough for the rest of your career. As as with architecture, you're always trying, new there are always new construction materials. There are always new new methods. And, yeah, you're you're breaking new ground all the time. But then there's another nice thing about professional licensing, and that is, architects who do manage to get gigs are paid very well.
That's the other side of professional licensing. Yeah. You know, supposedly, the c level officers of a company are paid so well because of liability they assume. Whereas the average coder gets paid, well, you know, living wage. If they were if if they were assuming liability, they would get paid well for assuming that liability because that's the way it works.
That's architects are paid well for signing those occupancy permits. But along those lines, right, an architect would never build with a new material on something that, for instance, has human lives depending on it. There will be test builds. There will be labs. There will be all kinds of testing done.
And, you know Lives not dependent upon upon, our digital practices. There are people who A 100%. People who are sitting in airports today who, needed to get to that surge in For sure. For sure. Absolutely.
I'm not disagreeing with that point in any way. And, you know, there are hospitals that probably can't operate at the capacity that they need to because some of their digital systems are affected and there are probably patients in hospitals already who are suffering, ill consequences from what we're seeing right now. Right? My point is that, you know, I okay. So there's the personal mistake of the person who committed the bad code, whatever, committed the bad file, whatever.
But then there's also the organizational accountability for, well, you know, that build should have gone through rigorous testing before it went out into the world. And that is, you know, that's an organizational process problem more than it is a process a problem of the individual who committed the one bad piece of code. Right? Exactly. And this let me use an analogy.
So Arthur Andersen, is a use processes, in order to, certify the financial reports of Enron. Mhmm. Right? What happened there? Yeah.
Right? Yeah. Yeah. So I wanna change gears for a second because we're we've only got a few minutes left in today's episode. I know you've been working on things for a long time.
Tell us a little bit the story of creating the world's first online encyclopedia. I'm fascinated to hear about that. Oh, what a story. So I had this idea, and I reached out to a source of text. His name was Max Shapiro.
This is in 1980 or 79, Max was the publisher of the Cadillac Modern Encyclopedia. Okay. And he we struck a deal to license the copy license the text for his encyclopedia. But Max said, Wes, I'm I'm really excited about this project. I really wish you well, but I I don't think it's gonna work.
Alright. So why not? Well, computers only deal in numbers. They don't deal in alphabetic characters. He was elderly.
Yeah. Yeah. He was, a nice guy, on in years. And, anyway, so we acquired the text. We scanned it using a Kurzweil machine, believe it or not, way back in 8 in 1980.
And I wrote the original code to we call it Textrieve, to retrieve encyclopedia entries and, cross references. And my code was really slow and really buggy, but I the the database was on the the the, machines at the MIT joint computer facility. It was a VAX, a VAX computer and, Okay. Yep. I worked And I got to know very early in my career.
So I I got to know, a few people there, and one of them, Phil McNeal. God bless Phil McNeal. He came along and and with a brainstorm. He said, you know, it's all about naming of entries. And if you put each entry into a separate file and then just use the, the the VAX VMS print command, print, and then name a file.
You translate the word into a a file name. Your software's done, and it works. It was great. So, anyway, that that that's the the the happy part of the encyclopedia story. The unhappy part was that we you know, people didn't have personal computers back then.
Right. So the deal was that we supplied the either your choice of either a Tandy color computer or an Apple 2, with software, with the encyclopedia online sir, with a modem, which back then was 300 bits per second. Yeah. Yeah. And, anyway, our customers, the people who bought these systems were parents of kids who could not get their kids into computer classes because every one of them was booked solid.
Okay. And so we were their computer education, and we offered unlimited support. So we'd call first thing in the morning, and we'd be giving computer courses over the phone all day. Yeah. Basically, no no time to, you know, run a business.
Yeah. So but we had added social features, pretty quickly. So email was there from the start, and we added bulletin boards and SIGs. You know, small social groups, you could create your own social network. And pretty soon, the we could see that the the social features were the popular ones.
Like a print encyclopedia, people tend to buy an encyclopedia, and for the first couple of months, they use it. And then after that, it sort of sits and gathers dust. Not everybody, but that common story. So the same large. Yeah.
Same thing with the, the online encyclopedia, but social features, of course, generate usage. So Yeah. We stopped supplying the computer. We changed the name to Delphi, and lo and behold, it saved our bacon. Interesting.
I I'm really curious, you know, some of the usage patterns back then because I I guess, first of all, just to make sure I understood you right. So the content of the encyclopedia, you kind of ship the computers with like a client application that could load the articles if I'm hearing you right, but then you stored the articles, on a back end system that customers accessed over a modem connection. Right? Right. Oh, yeah.
There's no way in those days you could store an encyclopedia on a computer. And Microsoft tried with Encarta, not Yeah. I remember that. On on on CD, basically. Yeah.
But But it was pretty limited, Encarta was. I mean, you really had kind of, like, I don't know, 10% of an encyclopedia on Encarta. We had a whole encyclopedia. We even added our own articles. We had someone offer to, to cover the world of music for us Mhmm.
For for a a a a very nice price. And they just basically uploaded all the band PR, you know, what the bands themselves wrote about themselves. So it's a little bit little bit of pitchiness in there in our Sure. Articles about music. But, yeah, we added some some of our own content.
Oh, and and this is 1981, mind you. Right. If you looked up a nation like Germany Mhmm. You would get, you know, history, culture, etcetera. And embedded in with history would be, you know, what's news from Germany today, right, from the UBI wire.
Gotcha. Climate. You get today's weather in German cities. Wow. Yeah.
So it was an encyclopedia. It never went out of date. Yeah. And Another another fun story about, that UPI wire. So we received it.
We received the information using this this big clunky tube based, device, interface, over a dedicated wire, and so but we said, okay.
Do you have can can we have the code table? This is Boto code. And we had had to threaten, you know, antitrust law to get that wire in the first place. Mhmm. Because they're you know?
Anyway, there was no coding table. There's no way of knowing what these this bunch of bits coming over the wire represented, what letters. So what we did was we, we gather these files, and then look at today's news, the day's news on the newspaper, and look for words like, you know, the who was the president then? I don't know. But but events, words in the the events and and and do frequency matching, and and that's how we decoded the UPI code.
Gotcha. Gotcha. Military secret. It took about a day. And and what do you think about Wikipedia?
Oh, it's great. I think we could pretty I especially since they started and this is quite a while ago now that they they started embedding their own criticisms. This article needs more original sources. This this this reads too much like a pitch. You know?
And I think that is phenomenal. That's the first time I know of where a reference work, you know, not only admits to its own flaws, but publishes the notices of the flood. Here's how this needs to be improved. I think that's that's just fantastic. Yeah.
Yeah. Look. I'm a long, long term Wikipedia user. I actually contribute annually. I'm a fan of the work that they do over there.
So, yeah, I'm one one of the if the emails are to believe, I'm, one of less than 3% of users who contributes on a regular annual basis. That's a fascinating story to hear back from the 19 eighties time frame. That's actually a couple years before we got our first family computer and many years before we got a computer that had a modem. And, that's why I was really curious to hear about how you actually delivered the content because, you know, our first computers were 5 and a quarter inch floppy. No no hard drive on the first computer that I had.
So, you know, 2, 2 floppy drives, 1 for operating system, and then one for everything else. You know, you would kind of boot the computer off of the a drive and then use the b drive for content, files, etcetera. Yeah. Fascinating history to hear about there. Wes, this has been a really interesting conversation.
I really appreciate you taking the time to join us here today. It's been great to hear about your work in the PKI space. I love hearing the analogy around how you view the the problems of a lack of accountability online today. I'm sure our audience is gonna appreciate that and especially the the, stroll down memory lane with Delphi and the world's first online encyclopedia. Thank you so much for taking the time to join us here today.
Jeremy, it's my pleasure.
