15. CONSUMERS, DEVELOPERS & VENDORS
Greater transparency
Invest more in security
Culture shift
Secure by design
16. MACHINE V MACHINE
“Whereas the short-term impact of AI depends on who
controls it, the long-term impact depends on whether it can
be controlled at all”
- Stephen Hawking
My name is Gary Trimnell and I am Technical Director for a digital agency called e3.
I was really fortunate to be able to attend this years SXSW and as a techie I was of course interested in all of the really cool things that technology can do and how we can push them but am naturally drawn to the practical side.
Today I am going to give a really brief overview of the topics of conversation that surrounded security and privacy at this years SXSW.
So without a doubt the hot topics at this years SXSW were:
Artificial Intelligence/Machine Learning
Virtual Reality
Connected Devices , the IoT.
These are not brand new technologies that have only just emerged this year.
AI for example was first founded as an academic discipline in the early 1950s.
However between then and now there has been a couple of periods coined “AI Winters” where progress almost ground to a halt, this was primarily due to the funding stopping after the results failing to live up to the high expectations, and this was as a result of one fundamental problem, there simply wasn't enough compute power.
So why are these technologies dominating this years SXSW?
First and foremost there has been advancements in computing to provide the infrastructure and raw compute power necessary to process the vast amount of complex structured and unstructured data at scale which simply didn’t exist 50 years ago.
Secondly the ubiquity of mobile devices in the modern age has driven the commoditisation of the technology that VR and IoT rely on such as High Definition screens, GPRS, Accelerometers making products more affordable.
And finally there are a wealth of services being made available from companies like Google, Microsoft, IBM to allow the mass development community significantly lowering the barrier to entry and this is why we are seeing an explosion in there areas.
And this is set to grow exponentially!
By 2020 some are estimating that we will see …
In total we could see anywhere up to 50 Billion Connected devices a little over 7 x the total world population
This is 50 Billion devices that will be collecting information about us
50 billion potentially unsecure devices
99% of which could be completely unregulated
With these sorts of predictions it isn’t hard to see why the other overarching key topic at SXSW was Security and Privacy.
The key questions up for debate were :
Why is Security important?
How can we better protect our data?
And who’s responsible.
So why worry ,why does it need our attention?
First and foremost we will continue to collecting and storing more and more personal information about ourseleves.
The more data we collect the more we need to look at how to protect it.
Products will get more complicated as more features are added to them.
More complexity a piece of software is = more code =
This in turn makes harder to maintain and secure.
To put this into context the average iPhone APP will contain around 50,000 to 100,000 lines of code
The modern high end car contains anywhere up to 100,000,000 lines of code
Looking to the future of the fully autonomous car this will require a substantial amount more code to function.
One way to mitigate this a little is to disconnect the connected devices:
We will see the emergence of new protocols aimed at IoT that will allow connected devices to talk directly to each other without the need for them all to be directly attached to the WiFi network.
Products also need to be developed so that individual features are isolated from each where they have no direct dependencies on each other.
A couple of recent examples highlight this nesccesaity:
Back in may 2015 a security researcher claimed to have taken control of some systems on board a United Airlines passenger plane he was on, getting as far as issuing a command that briefly changed the course of the plane.
Another pair of hackers caused aJeep to crash in July 2015 by accessing.
In both scenarios they claimed to have accessed critical controls via non dependant entertainment systems.
Hello Barbie is another example hackers claimed they were able to get access to
personal information through the toy.
Use the microphone as surveillance device.
And access the home Wi-Fi network and from there gain access to other internet connected devices in the house.
What these examples do also do is highlight that the impact of someone gaining unauthorised access to these systems and devices in the future could have a far greater impact than being able to access some data.
And now the ability to attack systems is being made easier than ever.
A security expert called Adam Tyler gave a talk at SXSW in which he demonstrated just how easy this was and that ther has been a rise in these type of services being made available.
He found a site through a simple search and within minutes created a ransomware bot by completing a simple form , ready for distribution.
He also went on to say that you expect hacking to be carried out by highly intelligent experienced developers, in actual fact because the hardwork has been done and provided as a service, it is being carried out by children, for fun.
There are currently 1 million new malicious software threats created daily , this number is only going to increase.
What can we do to regulate and better inform consumers.
Many of the clients that I work with expect us as an agency to have certain levels of accreditation like ISO 27001 and Cyber Essentials, to give them confidence that we have the necessary process and controls in place to manage information security.
I think consumers will also become more savvy and look out for certain stamps of approval in the same way to distinguish products that have been more rigoursly tested.
Biggest will be regulations that could have a financial impact, like EU General Data Protection Regulation will encourage vendors to consider security more when faced with a potential significant fine.
And we could also see the introduction of self propagating rating system’s for IoT as we have seen in different sectors like SOLD Secure rating for locks.
This will of course be driven by the market.
What we will see more of is forums from which to discuss security concerns as they emerge driven by businesses, security experts and consumers alike.
The IoT Security foundation was set-up at the end of last year and they are doing just that, they are an international, not-for profit, vendor neutral organisation.
The their aim is to share best practice in order drive awareness and advocacy for the important issues surrounding the IoT and Security in order to raise user confidence and accelerate adoption.
Lastly there was lots of debate at SXSW around who is responsible for security, ultimately this is the responsibility of everyone.
Vendors will need to become more transparent about how consumer data is being used, what is being collected and how it will be secured in a clear and concise manner and not hidden with a 3000 word privacy policy , this will allow consumers to make more informed decisions on the risk versus reward.
Nest do this really well, and they encourage consumers, developers and researchers to work with them to alert them if they find any vulnerabilities, supported by Googles vulnerability Reward Programme.
We will see a culture shift in the way that many vendors operate to think more like a software agency and work closely with third party security experts to avoid PR disasters and invest more time and money into security to ensure that the products that they create are “Secure by design”.
Is it inevitably in the long term that we will have to rely on research fields such as adversarial machine learning which sits at the intersection between machine learning and computer security.
Applying these techniques to IoT to process the vast amount of data to determining safe device behaviour and general usage patterns, which can help to spot and block abnormal activity and potentially harmful behaviour in realtime.
Eventually the responsibility may need to the machine thenselves shift to the machine themselves.
SXSX confirmed that these technologies have the capability of significantly enhancing our lives but could also make it a whole lot harder which is why security & privacy cannot be sacrificed in the process, and this is why I think Security & Privacy will continue to be top of the agenda at next years SXSW.