Cybersecurity has been a big subject in discussions at Sibos this year and experts are warning the banking industry about the lack of defence that is integrated into the infrastructure when new systems are created and put to market. This year at the Innotribe area, we saw Bruce Schneier, CTO and Special Advisor at IBM Security talk about how he is seeing a change in computer security because everything is a computer now. Your phone, your car, your fridge: all of these are computers with a screen or wheels added to the device.
“This means that the world of computer security becomes the world of everything,” Schneier said. He highlighted that with this, systems are becoming interconnected and “it is no longer the web you connect to, it is the world you live in.” With the introduction of credit cards, the attitude towards changed and people got used to being able to defer payments and conceptualising money; this is the mindset that has allowed money to just become a number of a screen and cash is being used less and less as time goes on and new payments products become mainstream.
When the robot crashes
The Internet of Things is the future, as Schneier explored and it is scary to think that we are currently building an Internet that senses, thinks and acts on command. “This is the classical definition of a robot and we are creating a world robot without even realising it, this is a concern for security,” he said. As this is happening, we should be acting on this world robot in a way that is increasingly smart and powerful because one flaw or failure could result in the entire infrastructure to break down.
The stakes are getting higher in lots of different way and Schneier said that confidentiality is also becoming a concern. “We want systems to make choices and do things, but all systems have vulnerabilities and hackers can take control and crash systems. There is a big difference between a spreadsheet crashing and a car crashing. You might lose data, money and cause embarrassment for yourself, but when a car crashes, people die.” He explained that despite this, society wants self-driving cars because it makes life easier and it could ultimately eliminate thousands and thousands of deaths.
Security is an arms race
“Technology perturbs the arms race by changing the balance between the attacker and the defender”, he said and went on to explain that there are three trends that affect this arms race. The first is that systems shift the power balance and by this Schneier explored how those who used the internet first were those who were empowered first. It was not the government or large corporations, it was the hackers and criminals and fringe movements that were able to gain power even in the presence of strong governments.
“The internet was a tool for global empowerment and technology magnified that power. The rate of adoption was rapid and the dissidents get power first and are in turn, empowered.” The battle is truly between the quick and the strong, security vs. surveillance and with this, we have no idea what is going to carry on. Another trend that has been apparent is that the attackers have an advantage over the defenders in that the latter are usually big conglomerates who have to secure their entire surface, whereas the attacker only has to spot one vulnerability and their natural agility enables them to attack at the right time and the right place.
A delay between the attack and defence results in a security gap which is obviously vulnerable to fraud. “This window is getting bigger and becomes greater in times of huge technological change. We can’t get ahead of the attacker because the quick are getting stronger.” The internet is a technology for scaling things and electronic espionage, as we saw with WikiLeaks sometime about now. Schneier said that it is a numbers game in society and there is a natural crime rate that society is willing to tolerate, and technology makes this possible.
Nation state attacks vs. attacks from teenagers in bedrooms
“We cannot tell the difference between attacks from nation states or regular guys and this is a trend that is becoming much more dangerous. However, we should no longer be concerned about the average guy or a particular country, we should be concerned about the most skilled because they will have the capability to scale and attack everyone,” Schneier said. There is rhetoric of fear that demands the government to do something now and he believes that there will be involvement as before the government “left it alone when it was just tech”, but now because it involves medical devices and cars. “There will be more surveillance and control as the stakes are higher.”
At the moment, we are living in uncertainty when it comes to the rate at which technology will advance. Schneier offered an example in saying that individuals change their mobile phones every 18 months and with that, upgrade the technology within it and the security. “The devices will get cheaper and you are not able to fix it, like when your internet router breaks, the only way to fix it is to throw it away and get a new one.” Not all technology has an upgrade, as this shows and the vulnerabilities will persist.
It is important to secure the technology properly the first time because we are living in a world of security by design. “We must get it right because the effects of getting it wrong are much more catastrophic in a world in which we are muddling through.” As well as this, there is no alternative when systems come out and regulation needs to be industry specific and a new framework is needed also, according to Schneier. “IoT is a freewheeling system and we have to figure out how to make fixes because it doesn’t make sense for one drone to regulate something with wheels and the same one to regulate something with propellers.”