I recently attended, and presented at the ISF annual congress in Berlin. One of the highlights of the conference was the keynote talk from Bruce Schneier.
The talk focussed on some of the current developments in IT, the internet, machine learning, IoT (Internet of Things), and what these may mean for IT security and basically everyone’s safety and security.
My notes from the talk are below, they are relatively rough, but I thought worth sharing as there are some great points and things to think about!
Internet now Senses, Sees and Acts – definition of a Robot?
Does this mean we are building a world size robot?
It’s a distributed robot…
Mobile, cloud, persistent computing, big data, IoT
This means – Computer security becomes Everything security…!
That means that all the things we understand from patching and vulnerabilities to security vs. complexity to network effects become relevant to everyone / everything.
As computers become more integrated with real life – medical, cars etc. We likely move from confidentiality being the most important part of the security ‘triad’ to safety..
How do we deal with things like;
Algorithms that choose where police go or who gets parole?
How can we allow police to safely stop a car, vs. criminals being able to stop any car?
Tech / security arms races;
- Click jacking
- Ad blocking
- Credit card fraud
- ATM fraud
5 trends affect this security arms race (currently, may change in the longer term);
- Attack is easier than defence
- For a bunch of reasons, like complexity
- New vulnerabilities in the interconnections
- The more you connect things, the more vulnerabilities in one thing can affect another
- E.g. recent massive DDoS – was from cameras etc. – so vulnerabilities in these led to massive impacts elsewhere
- More critical systems mean more power to attackers
- Internet allows criminals to scale
- Allows attacks from anywhere / everywhere – e.g. I live in the UK, so don’t care about burglars living in Germany. But with connected systems I can be attacked from anywhere.
- You don’t have to worry about the average attacker, you always have to worry about the best, as the best guy will be the one writing the tools..
- The economics of computer security don’t trickle down to the Internet of Things
- E.g. how do we secure and patch the billions of very low value devices
- Computers and phones – updated all the time, staff at MS etc employed just to patch
- Low cost embedded systems – written somewhere, dev / company moves on. Some can’t even be patched. So the only way to patch is to throw away and replace. Is this a viable patch strategy?
- We also regularly replace things like phones and computers – this provides improved security and ensures updates.
- IoT stuff isn’t like this. How often do you replace your DVR, your home thermostat etc?? 5 years, 10 years? Never??
- Owner and producer of these devices don’t care about the issues.
- Copy write laws, make it very hard to do security research on these devices
- It can be illegal to circumvent the security of these devices, even for research.
- Criminals don’t care, obviously.
- Criminals will do the ‘research’ and will hack the devices.
- Researchers likely will not do the work if they will be threatened and unable to publish the research..
- How will we ever improve?
How to fix this;
- Do it right in the first place
- Agile security- rapid prototyping, fix failures fast
Doesn’t work – Chrysler recalled >1M cars to update software
Does work – Tesla – remotely updated software of all cars
Technology and Law must work together or both will fail
Example – Snowden papers showed that technology could circumvent the law, as well as the other way round
Need clear government policies on this
Do we need a new regulator for this stuff?
What regulations do we need?
Does this need to be international, not national?
Governments will get involved, can we lead this to help drive sensible and usable regulations?
- IoT changes everything – computers impacting the world in a physical manner
- Less off switches
- Not designed just growing
- Threats getting worse in several dimensions
- This is all coming, fast. Government involvement is coming
- We need to get ahead of this – we need to start making serious choices. We need relevant, workable laws. We have moral and ethical choices to make.
- We need to change how we code.
- When software didn’t matter we let developers code how they wanted and how they saw the world.. Bugs just get fixed later.
- Now when lives more and more st stake we need society to decide what is OK, and hold developers to account.
- We need to change how we code.
- We need to bring together policy makers and technologists!
Government response will be fast and likely unplanned – e.g. ransomware against cars – millions of people cant get into cars. OR power plant goes offline.
This will lead to very fast and possibly badly thought out action, and regulations
Hence the need for us to get ahead of this!
We wont get to choose – once lives at stake you don’t get to decide if you’re regulated. Airlines, drug companies etc. Don’t get to say hay don’t regulate us.. Once internet / IoT etc as important as drug companies it will have now choice but to be regulated.
Do we really need to connect everything together?
E.g. could some systems (SCADA for example) connect to a SCADA only network? Not a new internet, just secure / controlled networks for some systems?
Does believe we will solve this, but it is challenging 🙂 He is actually optimistic about this!
I’m sure you will agree, some great thinking points. We live in very interesting times, IT security is going to become increasingly critical as more and more systems that genuinely and immediately affect life become connected to the same internet as everything else.
What are your thoughts? Can we safely and securely enable all of these interconnected systems?