Mr. Kussmaul was the sole founder in 1981 of Delphi Internet Services Corporation, the company that popularized the internet. At the time it was sold to Rupert Murdoch's News Corporation in 1993, Delphi was among the four largest online services, along with AOL, CompuServe and Prodigy. In 1986, while CEO of Delphi, Wes launched a spinoff, Global Villages, Incorporated to serve magazine publishers and business clients with their own private-label online services. During the next twelve years Global provided business planning, design, engineering, hosting, management and promotion services for Digital Equipment Corporation, William F. Buckley's National Review, BioTechniques, Hardcopy, International Business, Business Digest, and many other companies and magazines. Global's hosting business was sold in 1998 to NTT Verio. Wes then turned the attention of his new team to the need for reliable identities of individuals on the Internet, starting with the development of the VIVOS Enrollment Workstation. Designed to be used by notaries with minimal training, VIVOS binds biometrics of the enrollee to digital identity certificates. While developing VIVOS, Wes began collecting source material for a book about a hypothetical world public key infrastructure, built upon certificates representing reliable identities, that would bring authenticity to online interactions and privacy to individuals. As the book began to take shape Wes was introduced to a group at the International Telecommunication Union that was attempting to implement a world PKI that was similar to the one he was designing. In 2002 predecessor of The Authenticity Institute, The Village Group, became a charter signatory to the International Telecommunication Union's World e-Trust Initiative and is now a Sector Member of the ITU. Wes is a member of the High Level Experts Group at the ITU's Global Cybersecurity Agenda. In an address in 2008 to the United Nations World Summit on Information Society in Geneva, Wes introduced the City of Osmio. Wes received his BS in physics in 1971 from the University of Central Missouri while serving nearby in the U.S. Air Force. Upon graduation and discharge he became a systems analyst at Liberty Mutual Insurance Company, developing mainframe database applications for the next four years. Subsequent positions in sales and sales management for Gould Incorporated, Benson SA, and Tektronix, Inc. brought him in contact with the pioneers of the pre-Web Internet. Wes is an individual adherent of the International Union of Latin Notaries and has been appointed a Notary Ambassador by the National Notary Association.
The single most important step in engineering is to get the problem statement right. This is as true in social engineering as it is in information systems engineering. Wes Kussmaul's book is an attempt to do just that: to get the problem statement right, and to do so where social and information systems engineering meet, which is to say security. He deserves a gold star for even trying.
Such work is not easy. Those who say it is easy are either fools or charlatans. Kussmaul is neither a fool nor a charlatan. He brings to the task the benefit of prolonged study but he has necessarily bitten off a lot; the question for you, the prospective reader, is can you chew what he has bitten off? The answer is a hopeful "yes," but it is not trivial the way marshmallow fluff is trivial. This is difficult territory because it is important.
The four verities of governance are:
- Most important ideas are not exciting.
- Most exciting ideas are not important.
- Not every problem has a good solution.
- Every solution has side effects.
In no part of modern life is this more true than in the interplay around security. Security is about tradeoffs between simplicity and flexibility, between effectiveness and precision. Forks in the road appear at every turn, between security and privacy, between the public and the private, between the national and the local, and so forth. To get "the big picture," as it is generally called, is very, very difficult. Getting the big picture absolutely does not mean backing off far enough that you can make blurry pronouncements as if details didn't matter -- security is exactly where details matter most. Getting the big picture in security means to have a near-complete view of every detail.
Why every detail? Because for security to work you have to know how it fails. If that doesn't strike you as profound, pause for a moment and re-think your intuition. How security fails drives how security can be applied and how it can advance; for that reason the details matter, and they matter enormously. All the security technologies and strategies that have been developed to date have something to teach us about what not to do next time. If we grasp the failure modes then we can make progress. If we cannot, then we are doomed to reinventing the unworkable.
In that bigger picture we, all of us, are jointly at a considerable crossroad with respect to security. There is no doubt that "information society" is an apt enough description of the future. Thus the main and nearly philosophical question before us is whether we craft security technology that conforms to the real world intuitions of real people, or whether we expect those real people to conform to the security technology that we actually build. In other words, what is the problem statement?
Kussmaul attempts to answer this. and because he is looking forward there is necessarily some speculation to what he has to say. Perfect predictions of possible futures do not exist and because security is largely about tradeoffs he has to make some. This is a sign of rationality because it is only the fool or the charlatan who says that "You can have it all." Instead, Kussmaul starts from "What do we want?" and from that derives "What do we need?" He understands that trust is efficient but only if there is recourse to its misuse. He understands the real world intuitions of real people and deftly uses analogies of the physical world to derive what is missing in today's security solutions.
He has even gone so far as to practice what he preaches. He establishes a base point -- that identity must matter -- and from there critically reviews nearly every one of the security world's existing answers to the identity question. He is skeptical (what the great thinker Santayana recommended by calling skepticism the "chastity of the intellect") but, as every businessman has learned, there is no point in complaining if you don't have an alternative. This book is both that complaint and that alternative. Kussmaul has become an Individual Adherent of the Latin Notariat (read on). He has implemented the technology for his vision if for no other reason than to prove by demonstration that it is can be done. His effort, in other words, is the real thing.
It is, of course, true that in the social and technology marketplaces the best product frequently does not win. If "best" always won there would be no need for advertising, after all. This is perhaps especially true when it comes to technologies that succeed most when they are least visible, and that describes security technology particularly well. In fact, one of the National Science Foundation's four "grand challenges in digital security" is to make being safe no longer require being an expert. If being safe is to not require massive re-education then being safe will have to rely on one of two things: the public's intuitive and thus willing participation in its own security, or the public's outsourcing its safety to someone else to take care of it for them -- a privatized digital nanny state. To this writer, the latter is anathema.
Thus we come to a recommendation: Read this book. Read it with the skepticism of its writer. If you like it, then proceed accordingly. If you don't, then offer an alternative at least as far reaching and no more costly. You will find that task challenging -- not exciting, merely important.