Given the intertwinement of technology with communication, politics, economies and overall human progress, it seems to go hand-in-hand that cybersecurity must be elevated in parallel.
Dan Geer, considered atop the food chain of security thinkers, said during last week’s Source Boston conference that cybersecurity and humanity’s future are “conjoined”, and since humans are evolving faster than at any other time in history, choices must be made about how to protect us.
“To be deadly serious about cybersecurity requires that—either—we damp down the rate of change, slowing it enough to give prediction operational validity—or—we purposely increase unpredictability so that the opposition’s targeting exercise grows too hard for them to do,” Geer said. “In the former, we give up many and various sorts of progress. In the latter, we give up many and various sorts of freedom as it would be the machines then in charge, not us. Either way, the conjoining is irreversible.”
Geer’s keynote included 26 predictions, highlighted by a declaration that cybersecurity “is and will remain the paramount national security risk.” Many of his predictions carried a national security slant, starting with attribution between nation states.
Geer said that since weapons such as Stuxnet can never be assuredly attributed, they will never “ensure threat-stasis” as did the concept of mutual assured destruction with nuclear threats.
“The reason is attribution: while intercontinental ballistic missiles have a visible flight path and a limited number of launch-capable governments, offensive software has neither,” Geer said.
That won’t stop governments from coveting mechanisms for assuring attribution such as a geocoding of the Internet similar to what exists for mobile devices today, he said.
Governments will also continue to be the top consumer of zero-days, and policies will be crafted that will keep technology developed by an adversarial sovereign nation from running on critical infrastructure.
“This will extend to cryptographic gear including any sensor product with hardware embodied cryptographic code,” Geer said. “Industrial espionage will thus rise in importance to nation states, as if it were not high enough already.”
Geer also said we should expect offensive capabilities to be integrated into conventional network infrastructure, calling it “all but certain.”
“Much of that pre-deployment will initially be for tactical denial of information service in one form or another, but is likely to expand into disinformation as soon as sensors assume a place in the critical path for autonomous devices,” Geer said.
Artificial intelligence also crept into Geer’s predictions; he said self-modifying algorithms will have their place in other domains, including the government. But, he said, there are caveats.
“Turning decision making over to machines will be entirely seductive but safe if and only if that delegation can be withdrawn, meaning that the conditions for operating without that delegation are maintained,” Geer said. “Except at the level of especially sentient cybersecurity practitioners such as some of you, this lesson will be learned the hard way.”
Geer cautioned that there must be mechanisms available to examine the reasons why machine learning instruments arrive at a particular algorithm.
“This dictum of ‘interrogatability’ may or may not be codified while there is still time to do so. Once the chance is lost, going back to non-self-modifying algorithms will prove to be costly,” Geer said. “While various baby steps towards algorithmic regulation will take place, e.g., for traffic management, none of these will yet be critically relevant to either cyber or national security within the near-term envelope.”
Geer also broached the subject of liability, predicting that most enterprises will be subject to external cybersecurity-related requirements.
“End-User License Agreements (EULAs) that deny all responsibility will be effectively challenged as soon as a suitable crisis appears. Autonomous vehicles may be where such challenges draw their first blood,” Geer said. “Enforceable guarantees for the integrity of retained information, backstopped by some liability regime not yet designed, will come into existence. Electronic health records may be where such challenges draw their first blood, and, as with the above, as soon as a suitable crisis appears.”
Read the full text of Geer’s keynote here.
Image courtesy Doc Searls