Shock waves: 3 (significant). This kind of competitive intelligence has been going on forever, and it is damaging. The Web means more information gets out, and it's easier to find.
3. Google Earth
What it is: A software download that provides highly navigable satellite and aerial photography of the entire globe. (The same images are also available through Google Maps at http://maps.google.com.) The scope and resolution of the photos are eye-popping enough that Google Earth drew ire even as a beta product in 2005. Some people feel threatened that a photo of, say, their backyard is only a few clicks away, and others fear that terrorists will use the images of landmarks or pieces of the critical infrastructure to plot attacks.
How it works: After the user installs the software (the basic version is free at http://earth.google.com), she can zoom to any spot on the planet, often with enough detail to see driveways, if not cars. The virtual globe can be overlaid with information on roads, train tracks, coffee shops, hotels and more. Enterprising researchers are also overlaying Google Maps with everything from locations of murders to public rest rooms that have baby-changing tables. Images are up to three years old and come from commercial and public sources, with widely varying resolution.
Why it matters: The privacy implications of having this information so readily available are certainly worth discussing as a society, but the security risks to US-based companies are low. Much of the information was already available anyway. For instance, Microsoft stitched together images from the US Geological Survey a decade ago with its Terraserver project (http://terraserver.microsoft.com). It just doesn't work as smoothly.
Not only have these types of images long been available online, but they can also be easily purchased from government and private sources, says John Pike, director of the military think tank Globalsecurity.org. There are only a couple of legal restrictions. First, the images must be at least 24 hours old. Second, the US military has what Pike calls "shutter control": the ability to tell commercial satellite companies not to release imagery that might compromise US military operations. To the best of Pike's knowledge, the US military has never invoked this power, nor have the regulations governing satellite imagery changed during the Bush administration's war on terrorism.
"If Rummy's not worried about it," Pike says, referring to Secretary of State Donald Rumsfeld, "it's hard for me to see how anyone can lose much sleep over it."
What to do: If your organization's security plan is based on no one being able to obtain aerial or satellite photography of a facility, then it probably ain't much of a plan. "Anybody who has the capacity to constitute a threat that rises much above graffiti is going to have it in their power to get imagery of a facility," Pike says. "If security managers have something that they don't want to be seen, they need to put a roof on it."
Beyond that, be prepared for cocktail party banter about the risks and rewards of Google Earth and Google Maps. At the US Food and Drug Administration, for instance, CISO Kevin Stine finds Google Earth personally fascinating, and he likes to muse about its potential for use in, say, disaster planning. "From a CISO perspective, I think we need to be aware of these kinds of tools," he says. But for his security group, the only impact he thinks Google Earth might eventually have, if it begins to encompass more business applications, is a drain on bandwidth. In other words, it's a concern about as big as your lawn chairs seen from space.
Shock waves: 1 (minimal). Security by obscurity is so 20th century. Google Earth just illustrates why.
4. Click Fraud
What it is: The act of manipulating pay-per-click advertising. Perpetrators inflate the number of people who have legitimately clicked an online ad, either to make money for themselves or to bleed a competitor's advertising budget.
How it works: With pay-per-click advertising, an advertiser pays each time someone clicks an ad hosted on a Web site. Google, Yahoo and other search engine companies make their money by selling advertisers the right to have their text-only ads appear when someone searches for a particular keyword. There are two ways to manipulate pay-per-click advertising: competitor click fraud and network click fraud.
First, the competitor variety: Let's suppose a company that sells life insurance wants to advertise on Google. The company might bid for and win rights to the phrase "life insurance". Then, when someone runs a Google search for that exact phrase, the company's ad appears next to the search results as a sponsored link. (How close to the top of the list depends on both the price per click and the superpowered algorithms that constitute Google's secret sauce.) Each time someone clicks the sponsored link, Life Insurance Company pays the agreed-upon price to Google - say $5. With competitor click fraud, an unscrupulous competitor tries to run up Life Insurance Company's advertising bill by clicking the link. A lot.