Tag Archives: cybersecurity

Digital Identity and Public Benefits

From https://www.digitalbenefitshub.org/.

Both the U.S. National Institute of Standards and Technology and the Digital Benefits Hub made important announcements this morning. I will quote portions of the latter announcement.

The National Institute of Standards and Technology (NIST), the Digital Benefits Network (DBN) at the Beeck Center for Social Impact + Innovation at Georgetown University, and the Center for Democracy and Technology (CDT) are collaborating on a two-year-long collaborative research and development project to adapt NIST’s digital identity guidelines to better support the implementation of public benefits policy and delivery while balancing security, privacy, equity, and usability….

In response to heightened fraud and related cybersecurity threats during the COVID-19 pandemic, some benefits-administering agencies began to integrate new safeguards such as individual digital accounts and identity verification, also known as identity proofing, into online applications. However, the use of certain approaches, like those reliant upon facial recognition or data brokers, has raised questions about privacy and data security, due process issues, and potential biases in systems that disproportionately impact communities of color and marginalized groups. Simultaneously, adoption of more effective, evidence-based methods of identity verification has lagged, despite recommendations from NIST (Question A4) and the Government Accountability Office

There’s a ton to digest here. This impacts a number of issues that I and others have been discussing for years.

NIST’s own press release, by the way, can be found here.

A Few Thoughts on FedRAMP

The 438 U.S. federal agencies (as of today) probably have over 439 different security requirements. When you add state and local agencies to the list, security compliance becomes a mind-numbing exercise.

  • For example, the U.S. Federal Bureau of Investigation has its Criminal Justice Information Systems Security Policy (version 5.9 is here). This not only applies to the FBI, but to any government agency or private organization that interfaces to the relevant FBI systems.
  • Similarly, the U.S. Department of Health and Human Services has its Health Insurance Portability and Accountability Act (HIPAA) Security Rule. Again, this also applies to private organizations.

But I don’t care about those. (Actually I do, but for the next few minutes I don’t.) Instead, let’s talk FedRAMP.

Why do we have FedRAMP?

The two standards that I mentioned above apply to particular government agencies. Sometimes, however, the federal government attempts to create a standard that applies to ALL federal agencies (and other relevant bodies). You can say that Login.gov is an example of this, although a certain company (I won’t name the company, but it likes to ID me) repeatedly emphasizes that Login.gov is not IAL2 compliant.

But forget about that. Let’s concentrate on FedRAMP.

From https://www.informationweek.com/machine-learning-ai/how-fedramp-can-accelerate-cloud-adoption.

Why do we have FedRAMP?

The Federal Risk and Authorization Management Program (FedRAMP®) was established in 2011 to provide a cost-effective, risk-based approach for the adoption and use of cloud services by the federal government. FedRAMP empowers agencies to use modern cloud technologies, with an emphasis on security and protection of federal information. In December 2022, the FedRAMP Authorization Act was signed as part of the FY23 National Defense Authorization Act (NDAA). The Act codifies the FedRAMP program as the authoritative standardized approach to security assessment and authorization for cloud computing products and services that process unclassified federal information.

From https://www.fedramp.gov/program-basics/.

Note the critical word “unclassified.” So FedRAMP doesn’t cover EVERYTHING. But it does cover enough to allow federal agencies to move away from huge on-premise server rooms and enjoy the same SaaS advantages that private entities enjoy.

From https://marketplace.fedramp.gov/products.

Today, government agencies can now consult a FedRAMP Marketplace that lists FedRAMP offerings the agencies can use for their cloud implementations.

A FedRAMP authorized product example

When I helped MorphoTrak propose its first cloud-based automated biometric identification solutions, our first customers were state and local agencies. To propose those first solutions, MorphoTrak partnered with Microsoft and used its Azure Government cloud. While those first implementations were not federal and did not require FedRAMP authorization, MorphoTrak’s successor IDEMIA clearly has an interest in providing federal non-classified cloud solutions.

When IDEMIA proposes federal solutions that require cloud storage, it can choose to use Microsoft Azure Government, which is now FedRAMP authorized.

From https://marketplace.fedramp.gov/products/F1603087869.

It turns out that a number of other FedRAMP-authorized products are partially dependent upon Microsoft Azure Government’s FedRAMP authorization, so continued maintenance of this authorization is essential to Microsoft, a number of other vendors, and all the agencies that require secure cloud solutions.

They can only hope that the GSA Inspector General doesn’t find fault with THEM.

Is FedRAMP compliance worth it?

But assuming that doesn’t happen, is it worthwhile for vendors to pursue FedRAMP compliance?

If you are a company with a cloud service, there are likely quite a few questions you are asking yourself about your pursuits in the Federal market. When will the upward trajectory of cloud adoption begin? What agency will be the next to migrate to the cloud? What technologies will be migrated? As you move forward with your business development strategy you will also question whether FedRAMP compliance is something you should pursue?

The answer to the last question is simple: Yes. If you want the Federal Government to purchase your cloud service offering you will, sooner or later, have to successfully navigate the FedRAMP process.

From https://www.mindpointgroup.com/blog/fedramp-compliance-is-it-worth-it.

And a lot of companies are doing just that. But with less than 400 FedRAMP authorized services, there’s obviously room for growth.

Ransomware Doesn’t Celebrate a Holiday

Government Technology posted an article on a ransomware attack that affected Ardent Health Services facilities in multiple U.S. states, including Texas, Idaho, New Mexico, Oklahoma, New Jersey, and Kansas over Thanksgiving Day, requiring some ambulances to be diverted and some services suspended.

By Mangocove – Own work, CC BY-SA 4.0, https://commons.wikimedia.org/w/index.php?curid=133200606

Government Technology observed:

The Thanksgiving timing of the attack is unlikely to be coincidental. Hackers are believed to see holiday weekends as an opportunity to strike while network defenders and IT are likely “at limited capacity for an extended time,” the Cybersecurity and Infrastructure Security Agency (CISA) has noted

From https://www.govtech.com/security/ransomware-impacts-health-care-systems-in-six-states

And it’s not like the hackers are necessarily having to pass up on their turkey dinner. Few if any holidays are universal, and over 7 billion people (including many hackers) did NOT celebrate Thanksgiving last Thursday.

Does this mean that companies need to INCREASE security staff during holiday periods?

Is Your Healthcare Bot Healthy For You?

Robert Young (“Marcus Welby”) and Jane Wyatt (“Margaret Anderson” on a different show). By ABC TelevisionUploaded by We hope at en.wikipedia – eBay itemphoto informationTransferred from en.wikipedia by SreeBot, Public Domain, https://commons.wikimedia.org/w/index.php?curid=16472486

We’ve come a long way since the days of Marcus Welby, M.D. (who was a fictional character).

  • Back in the days of Marcus Welby, M.D., we trusted the doctor as the sole provider of medical information. Doctor knows best!
  • Later, we learned about health by searching the Internet ourselves, using sources of varying trustworthiness such as pharmaceutical company commercials.
  • Now, we don’t even conduct the searches ourselves, but let an artificial intelligence healthcare bot search for us, even though the bot hallucinates sometimes.

A “hallucination” occurs when generative AI is convinced that its answer is correct, even when it is wrong. These hallucinations could be a problem—in healthcare, literally a matter of life or death.

What can go wrong with AI healthcare?

The Brookings Institution details several scenarios in which reliance on artificial intelligence can get messy from a legal (and ethical) standpoint. Here is one of them.

From LINK REMOVED 2025-01-20

For example, a counselor may tell a patient with a substance use disorder to use an app in order to track cravings, states of mind, and other information helpful in treating addiction. The app may recommend certain therapeutic actions in case the counselor cannot be reached. Setting aside preemption issues raised by Food and Drug Administration regulation of these apps, important questions in tort law arise. If these therapeutic actions are contraindicated and result in harm to the patient or others, is the app to blame? Or does the doctor who prescribed the app bear the blame?

From https://www.brookings.edu/articles/when-medical-robots-fail-malpractice-principles-for-an-era-of-automation/

Who is going to ensure that these bots can be trusted?

Who is concerned? Yes.

It seems to me they give these robot doctors now-a-days very peculiar names. By Public Domain – Snapshot Image – https://archive.org/details/ClassicComedyTeams, Public Domain, https://commons.wikimedia.org/w/index.php?curid=25914575

That’s right. WHO is going to ensure that these bots can be trusted.

A World Health Organization publication…

…underscores the critical need to ensure the safety and efficacy of AI systems, accelerating their availability to those in need and encouraging collaboration among various stakeholders, including developers, regulators, manufacturers, healthcare professionals, and patients.

From https://www.openaccessgovernment.org/who-outlines-responsible-regulations-needed-for-artificial-intelligence-in-healthcare/170622/

According to WHO, its document proposes six areas of artificial intelligence regulation for health.

  • To foster trust, the publication stresses the importance of transparency and documentation, such as through documenting the entire product lifecycle and tracking development processes.
  • For risk management, issues like ‘intended use’, ‘continuous learning’, human interventions, training models and cybersecurity threats must all be comprehensively addressed, with models made as simple as possible.
  • Externally validating data and being clear about the intended use of AI helps assure safety and facilitate regulation.
  • A commitment to data quality, such as through rigorously evaluating systems pre-release, is vital to ensuring systems do not amplify biases and errors.
  • The challenges posed by important, complex regulations – such as the General Data Protection Regulation (GDPR) in Europe and the Health Insurance Portability and Accountability Act (HIPAA) in the United States of America – are addressed with an emphasis on understanding the scope of jurisdiction and consent requirements, in service of privacy and data protection.
  • Fostering collaboration between regulatory bodies, patients, healthcare professionals, industry representatives, and government partners, can help ensure products and services stay compliant with regulation throughout their lifecycles.
From https://www.who.int/news/item/19-10-2023-who-outlines-considerations-for-regulation-of-artificial-intelligence-for-health
From https://iris.who.int/handle/10665/373421

The 61 page document, “Regulatory considerations on artificial intelligence for health,” is available via https://iris.who.int/handle/10665/373421.

If You’re on the Biometric Digital Identity Prism, Enlighten Your Prospects

In marketing, move quickly.

On Saturday, September 30, FindBiometrics and Acuity Market Intelligence released their joint document on the Biometric Digital Identity Prism.

From https://findbiometrics.com/prism/ as of 9/30/2023.

For those who don’t know, the Prism presents an organized view of all of the digital identity companies—or at least the ones that FindBiometrics and Acuity Market Intelligence knew about. In the last few days, they were literally beggin’ to give companies a last chance for inclusion.

On Monday, I began to see a trickle of companies that talked about their place on the Prism, including iProov and Trustmatic.

But many companies remained silent. They have the right to do so, but it’s mystifying.

Why were they quiet?

What if they knew they had to say something…but they didn’t have someone to help them craft a statement?

Do you need to enlighten your prospects?

If you need help making your statement to your prospects and customers, perhaps Bredemarket can assist.

I’ve been in the industry for 29 years, and remember when the “Big 3” were a (mostly) different Big 3.

If the biometric content marketing expert can help you with identity blog post writing (or identity LinkedIn article writing or whatever), contact me and we can work together to position your company.

  • Book a meeting with me at calendly.com/bredemarket. Be sure to fill out the information form so I can best help you. 
From calendly.com/bredemarket

The Difference Between Identity Factors and Identity Modalities

(Part of the biometric product marketing expert series)

I know that I’m the guy who likes to say that it’s all semantics. After all, I’m the person who has referred to five-page long documents as “battlecards.”

But sometimes the semantics are critically important. Take the terms “factors” and “modalities.” On the surface they sound similar, but in practice there is an extremely important difference between factors of authentication and modalities of authentication. Let’s discuss.

What is a factor?

To answer the question “what is a factor,” let me steal from something I wrote back in 2021 called “The five authentication factors.”

Something You Know. Think “password.” And no, passwords aren’t dead. But the use of your mother’s maiden name as an authentication factor is hopefully decreasing.

Something You Have. I’ve spent much of the last ten years working with this factor, primarily in the form of driver’s licenses. (Yes, MorphoTrak proposed driver’s license systems. No, they eventually stopped doing so. But obviously IDEMIA North America, the former MorphoTrust, has implemented a number of driver’s license systems.) But there are other examples, such as hardware or software tokens.

Something You Are. I’ve spent…a long time with this factor, since this is the factor that includes biometrics modalities (finger, face, iris, DNA, voice, vein, etc.). It also includes behavioral biometrics, provided that they are truly behavioral and relatively static.

Something You Do. The Cybersecurity Man chose to explain this in a non-behavioral fashion, such as using swiping patterns to unlock a device. This is different from something such as gait recognition, which supposedly remains constant and is thus classified as behavioral biometrics.

Somewhere You Are. This is an emerging factor, as smartphones become more and more prevalent and locations are therefore easier to capture. Even then, however, precision isn’t always as good as we want it to be. For example, when you and a few hundred of your closest friends have illegally entered the U.S. Capitol, you can’t use geolocation alone to determine who exactly is in Speaker Pelosi’s office.

From https://bredemarket.com/2021/03/02/the-five-authentication-factors/

(By the way, if you search the series of tubes for reading material on authentication factors, you’ll find a lot of references to only three authentication factors, including references from some very respectable sources. Those sources are only 60% right, since they leave off the final two factors I listed above. It’s five factors of authentication, folks. Maybe.)

The one striking thing about the five factors is that while they can all be used to authenticate (and verify) identities, they are inherently different from one another. The ridges of my fingerprint bear no relation to my 16 character password, nor do they bear any relation to my driver’s license. These differences are critical, as we shall see.

What is a modality?

In identity usage, a modality refers to different variations of the same factor. This is most commonly used with the “something you are” (biometric) factor, but it doesn’t have to be.

Biometric modalities

The identity company Aware, which offers multiple biometric solutions, spent some time discussing several different biometric modalities.

[M]any businesses and individuals (are adopting) biometric authentication as it been established as the most secure authentication method surpassing passwords and pins. There are many modalities of biometric authentication to pick from, but which method is the best?  

From https://www.aware.com/blog-which-biometric-authentication-method-is-the-best/

After looking at fingerprints, faces, voices, and irises, Aware basically answered its “best” question by concluding “it depends.” Different modalities have their own strengths and weaknesses, depending upon the use case. (If you wear thick gloves as part of your daily work, forget about fingerprints.)

ID R&D goes a step further and argues that it’s best to use multimodal biometrics, in which the two biometrics are face and voice. (By an amazing coincidence, ID R&D offers face and voice solutions.)

And there are many other biometric modalities.

From Sandeep Kumar, A. Sony, Rahul Hooda, Yashpal Singh, in Journal of Advances and Scholarly Researches in Allied Education | Multidisciplinary Academic Research, “Multimodal Biometric Authentication System for Automatic Certificate Generation.”

Non-biometric modalities

But the word “modalities” is not reserved for biometrics alone. The scientific paper “Multimodal User Authentication in Smart Environments: Survey of User Attitudes,” just released in May, includes this image that lists various modalities. As you can see, two of the modalities are not like the others.

From Aloba, Aishat & Morrison-Smith, Sarah & Richlen, Aaliyah & Suarez, Kimberly & Chen, Yu-Peng & Ruiz, Jaime & Anthony, Lisa. (2023). Multimodal User Authentication in Smart Environments: Survey of User Attitudes. Creative Commons Attribution 4.0 International
  • The three modalities in the middle—face, voice, and fingerprint—are all clearly biometric “something you are” modalities.
  • But the modality on the left, “Make a body movement in front of the camera,” is not a biometric modality (despite its reference to the body), but is an example of “something you do.”
  • Passwords, of course, are “something you know.”

In fact, each authentication factor has multiple modalities.

  • For example, a few of the modalities associated with “something you have” include driver’s licenses, passports, hardware tokens, and even smartphones.

Why multifactor is (usually) more robust than multimodal

Modalities within a single authentication factor are more closely related than modalities within multiple authentication factors. As I mentioned above when talking about factors, there is no relationship between my fingerprint, my password, and my driver’s license. However, there is SOME relationship between my driver’s license and my passport, since the two share some common information such as my legal name and my date of birth.

What does this mean?

  • If I’ve fraudulently created a fake driver’s license in your name, I already have some of the information that I need to create a fake passport in your name.
  • If I’ve fraudulently created a fake iris, there’s a chance that I might already have some of the information that I need to create a fake face.
  • However, if I’ve bought your Coinbase password on the dark web, that doesn’t necessarily mean that I was able to also buy your passport information on the dark web (although it is possible).

Therefore, while multimodal authentication is better tha unimodal authentication, multifactor authentication is usually better still (unless, as Incode Technologies notes, one of the factors is really, really weak).

Can an identity content marketing expert help you navigate these issues?

As you can see, you need to be very careful when writing about modalities and factors.

You need a biometric content marketing expert who has worked with many of these modalities.

Actually, you need an identity content marketing expert who has worked with many of these factors.

So if you are with an identity company and need to write a blog post, LinkedIn article, white paper, or other piece of content that touches on multifactor and multimodal issues, why not engage with Bredemarket to help you out?

If you’re interested in receiving my help with your identity written content, contact me.

Generative AI Guidelines in San Jose, California

The Bredemarket blog has previously considered how private companies like Samsung and Adobe use generative AI. Government use is similar, yet differs in some ways. Let’s see how San Jose, California approaches it.

By Ben Loomis – DSC_9441.jpg, CC BY 2.0, https://commons.wikimedia.org/w/index.php?curid=73875056

As GovTech reported in its article “San Jose Releases Generative AI Guidelines, Looks to Learn,” some of the concerns of San Jose’s city governments are similar to issues with which private companies grapple.

Privacy is also a concern, and IT advises generative AI users to assume any information entered will be exposed to the public. Materials unready for publication shouldn’t be entered, nor should private emails. Employees looking for help drafting emails should avoid copy-pasting messages into generative AI, instead prompting the tools to write a generic message they can fact-check or augment with personalized details. The guidelines advise users to fact-check with multiple credible sources, including peer-reviewed journals and official documents.

From https://www.govtech.com/artificial-intelligence/san-jose-releases-generative-ai-guidelines-looks-to-learn

This is a big concern for private companies, also.

But there are also issues that governments need to consider that private companies may not need to address.

One consideration is that government writing requires a particular style. Senate bills, for example, are written with a certain structure and formality. The city also uses gender-neutral language and the term “resident” rather than “citizen.” 

From https://www.govtech.com/artificial-intelligence/san-jose-releases-generative-ai-guidelines-looks-to-learn

Of course private companies have their own writing styles, but the world won’t come to an end if the IBM memorandum includes the word “gnarly.” But the wrong word in a Senate bill, or the use of the term “citizen” in a blue state, could be catastrophic.

One thing is clear: San Jose Chief Information Officer Khaled Tawfik doesn’t think that general-purpose generative AI will cut it.

San Jose has talked with several vendors about the possibility of AI trained on data from government, potentially restricted to San Jose data only.

From https://www.govtech.com/artificial-intelligence/san-jose-releases-generative-ai-guidelines-looks-to-learn

As I noted in my post about Writer.com, this also allows implementation of privacy restrictions that could help avert problems if an employee inputs confidential information into the tool.

For the moment, San Jose is asking employees and contractors to log all use of generative AI. This will be referenced as the city develops its guidelines and policies in the future. As the city says:

Generative Artificial Intelligence (AI) is a new branch of AI technology that can generate content—such as stories, poetry, images, voice, and music— at the request of a user. Many organizations have banned Generative AI, while others allow unrestricted usage. The City recognizes the opportunity for a controlled and responsible approach that acknowledges the benefits to efficiency while minimizing the risks around AI bias, privacy, and cybersecurity.  

This is the first step in a collaborative process to develop the City’s overall AI policy. Registered users will be invited to join the Information Technology Department in a working group to share their experience and co-develop the City’s AI policies.

From https://www.sanjoseca.gov/your-government/departments-offices/information-technology/itd-generative-ai-guideline

Bredemarket’s Name for the Sixth Factor of Authentication

Depending upon whom you ask, there are either three or five factors of authentication.

Unless you ask me.

I say that there are six.

Let me explain.

First I’ll discuss what factors of authentication are, then I’ll talk about the three factor and five factor school, then I’ll briefly review my thoughts on the sixth factor—now that I know what I’ll call it.

What are factors of authentication?

Before proceeding to factors of authentication, let’s review TechTarget’s definition of authentication.

Authentication is the process of determining whether someone or something is, in fact, who or what it says it is.

From https://www.techtarget.com/searchsecurity/definition/authentication

For purposes of this post I’m going to stay away from the “something” part and concentrate on the “someone” part.

By USA International Trade Administration – https://www.youtube.com/watch?v=GLKDFhCjaY4, Public Domain, https://commons.wikimedia.org/w/index.php?curid=67067635

For example, if Warren Buffett has a bank account, and I claim that I am Warren Buffett and am entitled to take money from that bank account, I must complete an authentication process to determine whether I am entitled to Warren Buffett’s money. (Spoiler alert: I’m not.)

So how do I authenticate? There are many different ways to authenticate, which can be grouped into several authentication factors. Here’s how Sumo Logic defines “authentication factor.”

An authentication factor is a special category of security credential that is used to verify the identity and authorization of a user attempting to gain access, send communications, or request data from a secured network, system or application….Each authentication factor represents a category of security controls of the same type. 

From https://www.sumologic.com/glossary/authentication-factor/

When considering authentication factors, the whole group/category/type definition is important. For example, while a certain system may require both a 12-character password and a 4-digit personal identification number (PIN), these are pretty much the same type of authentication. It’s just that the password is longer than the PIN. From a security perspective, you don’t gain a lot by requiring both a password and a PIN. You would gain more by choosing a type of authentication that is substantially different from passwords and PIN.

How many factors of authentication are there?

So how do we define the factors of authentication? Different people have different definitions.

Three factors of authentication

For the most part, I believe that everyone agrees on at least three factors of authentication. As I noted in a prior post on factors of authentication, NIST defines the following three factors:

Factors include: (i) something you know (e.g. password/personal identification number (PIN)); (ii) something you have (e.g., cryptographic identification device, token); or (iii) something you are (e.g., biometric).

From https://csrc.nist.gov/glossary/term/Multi_Factor_Authentication, cited in https://bredemarket.com/2022/03/19/remember-the-newer-factors-of-authentication/

Note that NIST’s three factors are very different from one another. Knowing something (such as a password or a PIN) differs from having something (such as a driver’s license) or being something (a fingerprint or a face).

But some people believe that there are more than three factors of authentication.

Five factors of authentication

Let’s add two factors to the definition trumpeted by NIST. People such as The Cybersecurity Man have included all five in their definition.

  • Something you know.
  • Something you have.
  • Something you are.
  • Something you do.
  • Somewhere you are.

For more information, see my March 2021 post on the five factors of authentication.

But are there only five?

Six factors of authentication

In April 2022, I began wondering if there is a sixth authentication factor. While I struggled to put it into the “some xxx you xxx” format, I was able to encapsulate what this sixth factor was.

What about the authentication factor “why”?

This proposed factor, separate from the other factors, applies a test of intent or reasonableness to any identification request.

From https://bredemarket.com/2022/04/12/the-sixth-factor-of-multi-factor-authentication-you-heard-it-here-first/
Why is this man smoking a cigarette outdoors? By Marek Slusarczyk, CC BY 3.0, https://commons.wikimedia.org/w/index.php?curid=108924712

Over the months, I struggled through some examples of the “why” factor.

  • Why is a person using a credit card at a McDonald’s in Atlantic City? (Link) Or, was the credit card stolen, or was it being used legitimately?
  • Why is a person boarding a bus? (Link) Or, was the bus pass stolen, or was it being used legitimately?
  • Why is a person standing outside a corporate office with a laptop and monitor? (Link) Or, is there a legitimate reason for an ex-employee to gain access to the corporate office?

As I refined my thinking, I came to the conclusion that “why” is a reasonable factor of authentication, and that this was separate from the other authentication factors (such as “something you do”).

And the sixth factor of authentication is called…

You’ll recall that I wanted to cast this sixth authentication factor into the “some xxx you xxx” format.

So, as of today, here is the official Bredemarket list of the six factors of authentication:

  • Something you know.
  • Something you have.
  • Something you are.
  • Something you do.
  • Somewhere you are.

(Drumroll…)

  • Somewhat you why.

Yes, the name of this factor stands out from the others like a sore thumb (probably a loop).

From NIST’s FpVTE documentation https://www.nist.gov/system/files/documents/2021/07/19/ir_7123b_fpvte.pdf

However, the performance of this factor stands out from the others. If we can develop algorithms that accurately measure the “why” reasonableness of something as a way to authenticate identity, then our authentication capabilities will become much more powerful.

When should you target a competitor?

Companies must choose how their marketing will address their competitors. Some choose to ignore the competition, while others publicly target them. And some companies do both simultaneously.

Trellix et al: targeting competitors

Trellix, the company that emerged from the combination of McAfee Enterprise and FireEye, chose the to target its competitors. Trellix’s website contains two pages that target two specific competitors.

  • Trellix vs. CrowdStrike claims that Trellix delivers “earlier, better protection across all phases of the attack chain.” It follows this with a comparison chart that claims security lags.
From https://www.trellix.com/en-us/about/why-trellix/vscrowdstrike.html
  • Trellix vs. SentinelOne makes the same claim, but with a different comparison chart that claims a lack of expertise.
From https://www.trellix.com/en-us/about/why-trellix/vssentinelone.html

For its part, CrowdStrike offers comparisons against both SentinelOne and “McAfee,” while SentinelOne offers comparisons against both CrowdStrike and “McAfee.” Apparently these firms need to update their pages to reflect the new company name (and possibly new features) of Trellix.

Obviously the endpoint protection industry demands these types of comparisons to sway buyers to choose one product over another.

Apple: targeting industry leaders (and ignoring other competitors)

But competitor targeting is also used by upcoming firms to displace established ones. I’ve previously talked about (then) Apple Computer’s famous “Welcome, IBM. Seriously” ad “welcoming” IBM to the personal computer industry. This was part of Steve Jobs’ multi-year effort to grow Apple by targeting and displacing IBM. But while IBM was the clear target, Apple also targeted everyone else, as Bill Murphy, Jr. noted:

Added benefit: There were actually other personal computer companies that were just as successful as Apple at the time, like Commodore, Tandy, and Osborne. The Apple ad ignored them.

From https://www.inc.com/bill-murphy-jr/37-years-ago-steve-jobs-ran-apples-most-amazing-ad-heres-story-its-almost-been-forgotten.html

By framing the circa 1981 computer industry as a battle between the Apple and IBM, Jobs captured the world’s attention. Not only by positioning Apple as David in a battle against Goliath, but by positioning Apple as one of only two companies that mattered. This marketing would reach its peak three years later, in 1984.

From https://www.youtube.com/watch?v=R706isyDrqI

When the targeter becomes the target

After 1984, the computer world changed dramatically (as it always does), with other companies creating what were then called “clones,” as well as the massive changes at both IBM and “Apple Computer” (now Apple).

Eventually, small spunky outfits challenged Apple itself, with Fortnite in particular targeting Apple’s requirement that Fortnite exclusively use Apple payments.

From https://www.youtube.com/watch?v=fHLuKumkASg

So when should you target competitors?

The decision on whether or not to publicly acknowledge and target competitors varies depending upon a company’s culture and its market position.

  • As seen above, some markets such as the endpoint protection market demand competitor comparisons. Others (Apple 1981-1984, Fortnite 2020) target competitors to buttress their own positions. And don’t forget how Avis targeted Hertz in 1962, and Hertz subsequently responded.
  • Then again, sometimes it’s best to not acknowledge the competition. Again note that Apple only acknowledged one competitor in the early 1980s, refusing to acknowledge that the other competitors even existed.
  • In some cases, companies don’t acknowledge the competition because they don’t believe they measure up to the competition on benefits, features, or even price. For these companies, their challenge is to identify some advantage over the competition and promote that advantage, even if the relevant competitors are not explicitly mentioned.

Clearview AI and Ukraine: when a company pursues the interests of its home country

In the security world (biometrics, access control, cybersecurity, and other areas), there has been a lot of discussion about the national origins and/or ownership of various security products.

If a particular product originates in country X, then will the government of country X require the product to serve the national interests of country X?

You see the effects of this everywhere:

  • FOCI mitigation at U.S. subsidiaries of foreign countries.
  • Marketing materials that state that a particular product is the best “among Western vendors” (which may or may not explain why this is important – see the second caveat here for examples).
  • European Union regulations that serve to diminish American influence.
  • The policies of certain countries (China, Iran, North Korea, Russia) that serve to eliminate American influence entirely.

Clearview AI, Ukraine, and Russia

Clearview AI is a U.S. company, but its relationship with the U.S. government is, in Facebook terms, “complicated.”

From https://www.yourtango.com/201168184/facebook-relationship-status-what-does-its-complicated-mean

It’s complicated primarily because “the U.S. government” consists of a number of governments at the federal, state, and local level, and a number of agencies within these governments that sometimes work at cross-purposes with one another. Some U.S. government agencies love Clearview AI, while others hate it.

However, according to Reuters, the Ukrainian government can be counted in the list of governments that love Clearview AI.

Ukraine is receiving free access to Clearview AI’s powerful search engine for faces, letting authorities potentially vet people of interest at checkpoints, among other uses, added Lee Wolosky, an adviser to Clearview and former diplomat under U.S. presidents Barack Obama and Joe Biden.

From https://www.reuters.com/technology/exclusive-ukraine-has-started-using-clearview-ais-facial-recognition-during-war-2022-03-13/

But before you assume that Clearview is just helping anybody, Reuters also pointed this out.

Clearview said it had not offered the technology to Russia…

From https://www.reuters.com/technology/exclusive-ukraine-has-started-using-clearview-ais-facial-recognition-during-war-2022-03-13/

Here is an example of a company that is supporting certain foreign policies of the government in which it resides. Depending upon your own national origin, you may love this example, or you may hate this example.

Of course, even some who support U.S. actions in Ukraine may not support Clearview AI’s actions in Ukraine. But that’s another story.