May 13, 2016
The Cybersecurity Conundrum
By Robert A. Manning
Enhancing cybersecurity is critical not only to the viability of the Internet, but to the next wave of innovation and perhaps to the increasingly digitized global economy writ large. In his annual threat assessment to the Congress, Director of National Intelligence James Clapper argued that cybersecurity and the threats to networks are at the top of the list of US concerns.
The need to trust technology is key to its viability, not least for the still emerging IoT, the linking of devices to other devices, with services operating on the Cloud. McKinsey projects the IoT to add $4 trillion to $11 trillion in value by 2025.
As our dependence on connected technology rises, its security must be worthy of the trust placed in it. As the amount of software in life-critical systems increases, the number and severity of software flaws also increase. As connectivity increases in an era of Cloud computing, exposure to accidents and adversaries rises with it. If cars, homes, and even medical devices like pacemakers can be easily hacked, when public safety may be at risk, who will trust the IoT? Without trust, consumers will not buy these devices, eliminating financial gains as well as benefits such as safer cars, better medical devices, etc. Getting cybersecurity right would be an enormous enabling achievement.
The San Bernardino iPhone case has exposed a tension between government and markets. Customer demand and corporate direction, in response to perceived law enforcement overreach on metadata, led to strong data protection which hides content from bulk collection and analysis. The FBI and DoJ were at odds with Apple, with the competing interests of consumer trust and protection against data theft, versus combatting terrorism, and systemic vulnerability in technology. This has exemplified an “us vs. them” mentality, often present in these conversations, which must be resolved. This reflects a fundamental tension between the need for law enforcement to investigate crimes and the need to protect privacy from law enforcement overreach. There appears no silver bullet on the horizon to resolve this – and there may not be one.
To get beyond this situation, a dialogue including all stakeholders – insurers, customers, venture capital, lawyers – may be key. One example of such a process is the FDA approach of bringing in all stakeholders to discuss cybersecurity of medical devices with the aim of aligning interests of those stakeholders around the cybersecurity impacts to patient care and patient safety.
Government needs to define a role that does not impede innovation and investment, yet sets the parameters of required outcomes and guidelines for attaining it. In addition to the FDA approach, another example of self-regulation, however imperfect at present, is the credit card industry adoption of the Data Security Standard to enhance cybersecurity. With the threat of legislation looming, the industry (after banks bore the cost of fraud) devised a solution to preserve trust in the credit card system.
Consumers are most comfortable with a ‘walled garden’ of privacy; such as the software that is licensed and controlled for iPhone encryption. In the case of Apple, there is neat coincidence, as the security model also aligns with its business model. Many devices are following the Apple path with lockdown software, especially automakers. But this is not the case with the Android ecosystem, which tends to leave devices more open to adversaries. Where – or how --to find the right security model for the Internet of Things remains a matter of some debate.
In any case, one important aspect of maintaining security levels is building in design features for resiliency like software updates, which allow a prompt, secure, and agile response to flaws once discovered. This also keeps down costs, compared with product recalls. It is important to connect the imperative of stopping incidents to the larger imperative of reducing risk to the ecosystem. Government procurement, a slow and tedious process, faces a particular challenge in the ability to understand risk when buying software or connected devices.
Another issue of trust is in regard of the identity of users. If we cannot absolutely determine the identity of a user, who is allowed access and/or can make changes then the whole system is at risk. The complex systems involved in the IoT give this problem an urgency that industry needs to solve if there is to be ample trust of consumers to buy into the IoT. In a hospital operating room, passwords slow down care delivery and may cause harm, yet biometrics are frustrated by sterile gloves and masks. Authentication and identity will need to be rethought in a hyper-connected environment.
The expansion of the digital economy means there are increasing numbers of access points and software versions for intruders. This complicates the challenge of building ample trust for users. One aspect of the IoT may provide part of the solution: the combination of AI and Big Data may provide the ability of accurate machine detection and analysis of intrusions and attacks. DARPA, the Pentagon agency that was instrumental in the invention of the Internet, has announced a new program to use AI to attain rapid attribution of the full range of hackers and cyberattacks.
The great fear is that events may force the issue. If there is a cyber 9/11, Congress is likely to pass legislation focused entirely on the security end in ways that reduces space for innovation and investment. This underscores the need for a more technically literate policy environment, informed by consequences of too much, too little, or the wrong type of action. While regulating technology may stifle innovation, some role is necessary in the same way that restaurant kitchens are held to sanitary codes, to protect public health without impeding business. By preparing now, any eventual crisis of confidence can be met with the right policy response.
Robert A. Manning is Resident Senior Fellow at the Atlantic Council’s Brent Scowcroft Center on International Security.