There are a lot of articles about Artificial intelligence and what it will mean to the world. People are asking questions like Where is Technology Taking The Economy? and Where Machines Could Replace Humans?. One thing that’s clear is that computers have become an integral part of our life.
Computers used to be ancillary items that would help us get things done. For example, a GPS system was just a better map. If the GPS failed, we could always go back to a map to find our way home. Today, we can’t live without computers. Take driving for instance. We don’t drive our cars anymore. When we turn the steering wheel or press a gas pedal we are actually sending a signal to the computer that that drives the car.
Bruce Schneier, one of the world’s top security experts, just published an article about the dangers of this new environment called Click Here to Kill Everyone. With the Internet of Things, we’re building a world-size robot. How are we going to control it?
Giant robot? What is Schneier talking about? He says:
Broadly speaking, the Internet of Things has three parts. There are the sensors that collect data about us and our environment: smart thermostats, street and highway sensors, and those ubiquitous smartphones with their motion sensors and GPS location receivers. Then there are the “smarts” that figure out what the data means and what to do about it. This includes all the computer processors on these devices and — increasingly — in the cloud, as well as the memory that stores all of this information. And finally, there are the actuators that affect our environment. The point of a smart thermostat isn’t to record the temperature; it’s to control the furnace and the air conditioner. Driverless cars collect data about the road and the environment to steer themselves safely to their destinations.
You can think of the sensors as the eyes and ears of the internet. You can think of the actuators as the hands and feet of the internet. And you can think of the stuff in the middle as the brain. We are building an internet that senses, thinks, and acts.
This is the classic definition of a robot. We’re building a world-size robot, and we don’t even realize it.
This reliance on computers changes the way we should be thinking about computer security. Security has three components: confidentiality, availability and integrity. In the past, when people were thinking about security, they were most concerned about confidentiality (e.g., someone was reading their email, someone stealing their identity). But today there’s a far bigger problem in availability and integrity. Shutting down your car (availability) is a far bigger problem than someone knowing where you are all the time (confidentiality). And modifying your car (integrity) to prevent your brakes from working on the highway is the biggest problem of all.
But even cars aren’t the biggest problem. It’s all these smaller things that we’re connecting to the Internet — the Internet of Things. Last year we saw some enterprising hackers marshal together millions of DVRs and webcams to attack the core infrastructure of the internet and bring websites like Twitter, Amazon and Netflix down. Here’s the basic problem:
- Prioritizing functionality and cost over security. While companies like Apple and Google spend hundreds of millions of dollars on security and pushing out updates, there are many smaller companies making connected devices that don’t care much about security. They often aren’t made in a way to update this security. And because consumers don’t really care if their DVR or refrigerator has good security, it’s unlikely that this will change. So now you have devices connected to the internet that are vulnerable both as victims and coopted attackers. Because these devices are all connected in an ecosystem, a failure of one seemingly unimportant piece can cause far bigger consequences like how an unsecured fish tank connected to the internet let hackers infiltrate a casino.
- Connecting everything to the internet. Now because all these devices are connected to thet internet, you’ve got to protect against the best hackers in the world. Just look at how North Korea is trying to finance the country through ransomware. I’m not convinced that I’m going to win a hacking battle with a nation — are you?
So how do we fix this? Schneider doesn’t have great solutions but he has a couple:
- Regulation. While regulation is normally anathema to computer programmers, for cybersecurity it is needed. There are a few ways to look at this. First of all, the internet as a whole is a utility. In order to maintain the availability of the utility and protect against catastrophe, it’s reasonable to regulate it. Secondly, you can view security as a public health system. In order to maintain the health of the internet, we need to ensure that there are a limited number of viruses on it and we take those viruses seriously. Otherwise, these viruses can imperil the health of the entire system. Schneir’s point is that regulation is inevitable so we should start thinking about it now.
- Disconnection. Why are we connecting everything to the internet?! Everyone is so excited about connecting everything to the internet without thinking about the risks. How much do we lose by disconnecting a power station’s controls from the Internet? It’s probably a little more expensive to have a person or two stationed directly at the plant. But if we leave them connected, there’s the real danger that they can be attacked by a hacker and brought down or destroyed.
In the excitement over all the possibilities that Artificial Intelligence and the Internet of Things can bring, we need to be vigilant about protecting the ecosystem. But people remain far too optimistic about the future. Just today I saw an article titled Cyber Attacks on U.S. Power Grids Can Be Deterred With Password Changes that should have been titled “US Power Grid Has Multiple Security Holes.” Oh, and taking down a power grid is already being tested in Ukraine.