IP EXPO 2017: Cybersecurity heavyweights discuss the future of the industry, noting that the answers may be in its past
It hardly needs reminding that the technology industry is characterised by constant change. What is cutting edge today will be considered out of date in a matter of months. But there are concerns that the cybersecurity sector isn’t keeping up with this rapid pace.
The past 12 months have seen numerous data breaches, the rise of ransomware and a host of other threats, such as fake Android applications and other devious pieces of malware.
Leading security researchers have expressed concerns that developments in artificial intelligence (AI), augmented reality (AR) and the connected world would require new approaches and strategies.
Real and physical worlds
“One of the things I find particularly scary at the moment is we have a petition at the UN to ban autonomous weaponry,” said TrendMicro’s Rik Ferguson. “We are already in Skynet, that’s the world we live in. AI and Machine Learning are great for businesses, but we know cybercriminals are among the first to seize those benefits.
“We as a security industry have a duty to see that coming, to build the tools to harness the capabilities of AI and to deploy it to find the faults in our code.”
The intersection of the real and virtual worlds also concerns Ferguson. Whereas the two have previously been distinct, AR blends them into a single hybrid, opening up huge opportunities for cybercriminals to exploit.
“I think we’re ready as users to accept AR as a means of interacting and digesting information. Pokémon Go and Apple ARKit mean the technology is mainstream,” he continued.
“Where it worries me from a security perspective is that for the first time the web is overlaying into the real world. You’re not just talking about hacking something someone owns, but their world. It opens social engineering up into a brand new world.”
The intersection of the virtual and the physical extends to the Internet of Things (IoT), which has been a hot topic for a number of years. The main concerns are protecting the data that these items collect, much of which can be very personal, as well as ensuring the devices are not snared into an unstoppable botnet that can spread attacks and be used for DDoS assaults.
The technology industry has typically built something that will last and be supported with updates and patches for a number of years, after which it is expected that customers will purchase an upgrade.
While this may have been acceptable for IT, the advent of connected appliances, vehicles and other products means this may have to be revisited due to their lifecycle.
“The way we build things to last like furniture is at complete odds to how we update technology. Is this practical?” asked chair Wendy Naher from Duo Security. “Is this sustainable? MRI scanners are built for a life of 20 years but there is a maximum number of patches they can sustain. Who is right, who is wrong?”
“There’s a deeper problem in that we expect these machines to work for decades like a car,” added F-Secure’s Mikko Hyponnen. “Today, everything is reliant on backends, services and clouds. How long will they be there? How long will the vendor pay the bills?”
“We are living in a capability gap between the people that make the devices and people who do the security and they’re not working in the same companies,” suggested Ferguson.
“Security professionals aren’t going to work for Whirlpool etc., they’re going to work for a security company. We’ve got a chance to change it now by enforcing standards and working with the manufacturing community or else we’re going to have a problem.”
Hyponnen suggested the answer was to make manufacturers responsible for the damage caused for poor security, with Sophos’s James Lyne predicting the number of lawsuits would increase in the coming years. However Ferguson feared this would harm open source development.
“You’re going to end up killing open source as no one will want to give away anything for free and then be liable,” he argued. “Why should they be legally responsible when they’re doing it pro bono?”
Pace of change
The panel all agreed that despite these concerns, many aspects of the security landscape had remained the same. In fact, some of the most innovative approaches used by cyber criminals saw them revisit older techniques, the experts said, claiming the industry as a whole had done a good job at protecting consumers and businesses from threats.
“The fundamental goal of profit, fraud and other things cyber criminals want to do moves at a slow pace,” said Lyne.
“[For example] we’ve been talking about [IoT] for the past few years. I don’t think it’s negative as it’s important to keep mentioning it and challenging it. It’s ok to keep going back to this stuff to challenge the assumptions that things never change.
“If you look at the hardening of programmes … [such as] the level of protection that is available out of the box that people don’t even know is there and the slaying of code mistakes and bugs is quite impressive. We shouldn’t misconstrue large data breaches with tech advances.”
“The future of cybersecurity is and in many ways always has been the past of cybersecurity,” said Ferguson, who suggested the biggest challenge was education.