“We need to accept the fact that defence has to dominate offence. If there’s a choice, we build for defence,” says Bruce Schneier author of Click Here to Kill Everybody.
Speaking at Edinburgh Napier University’s Craiglockhart campus, Schneier explored the risks and potentially devastating implications of an increasingly ‘connected’ world – one which is vulnerable and will require a marked shift in how we perceive consumer devices aimed at streamlining our lives.
We live in exciting times. As the world becomes ever more connected, day-to-day life is changing. Our workplaces are being simplified through automation, communication is near-instant and our methods of transportation are also becoming automated and connected.
The iPhone in your pocket, Schneier explains, is more than a mobile phone – it is a portable machine; a modern refrigerator isn’t just a device that keeps your food products cold; an ATM machine is a computer, first and foremost, with money contained within. Similarly, while a car used to be a mechanical device, it is now a computer with four wheels and an engine, he says.
While these are luxuries that no generation before us has enjoyed, the high life isn’t quite what it should be. The connected nature of many consumer items poses a serious risk both to privacy and safety.
“It means that computer security is now everything security,” he remarks. “The lessons of our world [cybersecurity] are applicable to everything, everywhere.
“As we connect things to each other, the vulnerabilities of one thing affect another and you will see this when you read about some of the hacks in the news.”
Schneier says we are increasingly faced with a “cascade of vulnerabilities”, whereby attackers can gain access to systems and networks through vulnerabilities elsewhere in a company or organisation’s infrastructure. A prime example of this, he suggests, is when an undisclosed casino fell victim to a cyber attack through an IoT fish tank.
Attackers were able to gain access through the tank’s connected thermometer, which was located in the lobby. Once in, they moved on to access the casino’s customer database. These cascades, while they appear sophisticated, are relatively easy – further underlining the dangers of unsecured devices.
The number of IoT devices in use globally is expected to skyrocket over the next decade, with Cisco anticipating that there will be more than 500 billion devices connected to the internet by 2030. With this growing number of connected devices being used worldwide, security is an issue that will likely be a key talking point for some time. The fluid nature of the cybersecurity landscape is also a critical issue, Schneier explains. The cat and mouse games played between attackers and defenders the world over means that what was secure before will not be secure today.
“Attackers adapt and figure out new techniques and we have these arms races; spam versus anti-spam, ATM machines versus ATM machine hacking and, more recently, deep fakes versus deep fake detection,” he says. “So, what was secure before is not secure today.”
Attacks are also growing in severity, Schneier explains, and connected devices have a physical impact on the world which previously we have not experienced. This is changing the way cybersecurity professionals must approach the three basic properties they are expected to provide – confidentiality, integrity and availability; commonly referred to as the ‘CIA Triad’.
Whenever security news stories permeate the airwaves, invariably they are some kind of confidentiality breach; data theft or data misuse. Recent high-profile scandals, such as the Cambridge Analytica affair, the Equifax breach or the Marriott scandal were all confidentiality breaches due to the exposure of data.
DDoS attacks and ransomware damage availability, while if a successful attack is carried out on a bank that changes balances, for example, this represents a data integrity attack. Although confidentiality attacks dominate, they may come to represent the lesser of three evils in years to come.
“Today when you have computers that affect the world in a direct physical manner, integrity and availability threats are much worse and they’re much more severe. They offer a real risk to life,” Schneier insists.
“I’m concerned when someone hacks a hospital and steals my medical records, but I’m much more concerned that they change my blood type – a data integrity attack.”
Similarly, he suggests that while hacking a car and turning on a Bluetooth microphone and eavesdropping on conversations is both a great invasion of privacy and a significant threat, hackers disabling breaks poses a very real danger to life.
“Cars, medical devices, drones, weapons systems, appliances, power plants. When you get to computers, that effect [confidentiality impact] fades – integrity and availability are much more important,” Schneier says. “There is a fundamental difference between if my spreadsheet crashes and I lose my data, and if my heart monitor crashes and I lose my life.”