All computers are hackable. This includes your smart phones and any other device with a microchip in it. This has as much to do with market forces as it does with the technology.
We prefer our software full of features and cheap, at the expense of security and reliability. The industry is filled with market failures that, until now, have been largely ignorable. As computers continue to permeate our offices, homes, cars and businesses, these market failures will no longer be tolerable.
Our only solution will be regulation, and that regulation will be foisted on us by governments desperate to “do something” in the face of disaster.
The reality is we no longer have things with computers embedded in them. We have computers with things attached to them – even humans!
We are building an Internet that senses, thinks, and acts. This is the classic definition of a robot. We’re building a world-size robot, and we don’t even realise it.
To be sure, it’s not a robot in the classical sense. We think of robots as discrete autonomous entities, with sensors, brain, and actuators all together in a metal shell. The world-size robot is distributed. It doesn’t have a singular body, and parts of it are controlled in different ways by different people. It is the extension of our computers networks from cyberspace into the real world!
This world-size robot is actually more than just the Internet of Things (IoT). It’s a combination of several decades-old computing trends: mobile computing, cloud computing, always-on computing, huge databases of personal information, the Internet of Things and artificial intelligence (AI). And while it’s still not very smart and still disparate, it’ll get smarter. It’ll get more powerful and more capable through all the interconnections we’re building.
Traditionally, cybersecurity is divided into three categories: confidentiality, integrity, and availability. Initially our cybersecurity concerns have largely centered on confidentiality. We’re concerned about our data and who has access to it – the world of privacy and surveillance, of personal identity and data theft.
But threats continuously evolve. Availability threats: computer viruses that delete our data, or ransomware that encrypts our data and demands payment for the unlock key.
Integrity threats: hackers who can manipulate data entries can do things ranging from changing grades in a class to changing the amount of money in bank accounts. Some of these threats are pretty bad. Hospitals have paid hundreds of thousands of dollars to criminals whose ransomware encrypted critical medical files.
Today, the integrity and availability threats are much worse than the confidentiality threats. Once computers started affecting the world in a direct and physical manner, there are real risks to life and property. There is a fundamental difference between crashing your computer and losing your document, and crashing your pacemaker and losing your life! This isn’t mere speculation; recently researchers found serious security vulnerabilities in implantable heart devices.
Our computers and Smartphones are as secure as they are because tech companies like Apple, Microsoft, Samsung and Google spend a lot of time testing their code before it’s released, and quickly patch vulnerabilities when they’re discovered.
These companies can support large, dedicated teams because these companies make a huge amount of money, either directly or indirectly, from their software. Unfortunately, this isn’t true of embedded systems and IoT devices like car systems or home routers. These systems are sold at a much lower margin, and are often built by offshore third parties. These companies simply don’t consider security!
The market can’t fix this because neither the buyer nor the seller cares. There is no market solution, because the cyber insecurity is what economists call an externality: It’s an effect of the purchasing decision that affects other people. Think of it kind of like invisible pollution – the cost passed back to society.
Cybersecurity has become an arms race between attacker and defender.
Here are a few points to consider:
1. In cyberspace, attack is easier than defense.
There are many reasons for this, but the most important is the complexity of these systems. More complexity means more moving parts, more interactions, and more mistakes in the design and development process. Cybersecurity experts like to speak about the attack surface of a system: all the possible points an attacker might target and that must be secured.
2. Most software is poorly written and insecure.
If complexity isn’t enough, we compound the problem by producing lousy software. Well-written software, like the kind found in airplane avionics, is both expensive and time-consuming to produce.
3. Connecting everything via the Internet will expose new vulnerabilities.
The more we network things together, the more vulnerabilities on one thing will affect other things. This is the essence of creating what hackers call a botnet. Vulnerabilities like these are particularly hard to fix, because no one system might actually be at fault. It might be the insecure interaction of two individually secure systems.
4. Cyberspace has no borders: One of the most powerful properties of the Internet is that it allows things to scale. This is true for our ability to access data, watch Netflix or control systems or do any of the cool things we use the Internet for, but it’s also true for cyberattacks.
It’s not just that these modern cyberattackers are more efficient, it’s that the Internet allows cyberattacks to scale to a degree impossible without computers and global networks.
In general, there are two basic paradigms of security. We can either try to secure something well the first time, or we can make our security agile.
The first paradigm comes from the world of life threatening things: from planes, medical devices or medications even buildings.
It’s the paradigm that gives us secure design and secure engineering, security testing and certifications, professional licensing, detailed preplanning and complex government approvals, and long times-to-market.
Its security for a world where getting it right is paramount because getting it wrong means people dying. It’s also applied to carrier-class or military grade specifications.
The second paradigm comes from the fast-moving, and previously largely benign, world of software and cyberspace.
In this paradigm, we have rapid prototyping, on-the-fly updates, and continual improvement. In this paradigm, new vulnerabilities are discovered all the time and security disasters regularly happen.
Here, we stress survivability, recoverability, mitigation, adaptability, and stumbling through. This is security for a world where getting it wrong is okay – as long as you can respond fast enough with backup and recovery.
These two worlds are colliding. They’re colliding in our cars – literally – in our medical devices, our building control systems, our air traffic control systems, and our voting machines.
And although these paradigms are wildly different and largely incompatible, we need to figure out how to make them work together.
So far, we haven’t done very well. We still largely rely on the first paradigm for the dangerous computers in cars, airplanes, and medical devices. As a result, there are medical life support systems that can’t have security patches installed because that would invalidate their government approvals. I kid you not!
Markets alone can’t solve our security problems. Markets are motivated by profit and short-term goals at the expense of society.
This all points to policy and regulation. While the details of any computer-security system are technical, getting the technologies broadly deployed is a problem that spans law, economics, psychology, and sociology. And getting the policy right is just as important as getting the technology right because, for Internet security to work, law and technology have to work together.
This is probably the most important lesson of Edward Snowden’s NSA disclosures. We already knew that technology can subvert law. Snowden demonstrated that law can also subvert technology. Both fail unless each works together. It’s not enough to just let technology do its thing – it will leave the law behind!
There’s a fundamental mismatch between the way government works and the way this technology works that makes dealing with this problem near impossible at the moment.
Furthermore government operates in silos. Each ministry has a different mandate and different rules. They have no expertise in these new technical issues, and they are not quick to expand their authority.
On the other hand the Internet is a freewheeling system of integrated objects and networks. It grows exponentially, demolishing old technological barriers so that people and systems that never previously communicated now can. Already, apps on a
Smartphone can log health information, control your energy use, and communicate with your car and TV.
That’s a set of functions that crosses jurisdictions of at least four different government departments in my experience, and it’s only going to get worse!
Any solutions here need to be holistic. They need to work everywhere, for everything. Whether we’re talking about cars, drones, or smart phones, they’re all computers.
Here’s the reality – Governments will get involved, regardless. The risks are too great, and the stakes are too high even impacting national security. Government already regulates dangerous physical systems like aviation and medical devices. Regulations are necessary, important, and complex; and they’re coming.
As a wiser man than I, and pioneering cyberpunk succinctly stated: “Everyone knows, or should know, that everything we type on our computers or say into our Smartphones is being disseminated throughout ‘cyberspace’.
“And most of it is recorded and parsed by big data servers. Why do you think Gmail and Facebook are free? You think they’re corporate gifts? We pay with our data…”
God bless you all and stay safe and secure in both physical and digital worlds!
- Ilaitia B. Tuisawau is a private cybersecurity consultant. The views expressed in this article are his and not necessarily shared by this newspaper. Mr Tuisawau can be contacted on ilaitia@cyberbati.com
