Demands on cybersecurity for the Fourth Industrial Revolution
08:30 Friday, 23 October 2020
UK Cyber Security Council
According to the UK Government , the Fourth Industrial Revolution “is characterised by a fusion of technologies – such as artificial intelligence, gene editing and advanced robotics – that is blurring the lines between the physical, digital and biological worlds. It will disrupt nearly every industry in every country, creating new opportunities and challenges for people, places and businesses to which we must respond”.
Disruption of any kind is, by its very nature, a major challenge to the cyber security industry. The definition of “disruptive technology” describes it as: “an innovation that significantly alters the way that consumers, industries, or businesses operate”, noting that: “A disruptive technology sweeps away the systems or habits it replaces because it has attributes that are recognizably superior”. Cyber security firms have traditionally been very good at coping with incremental change (for example, anti-malware software writers’ development cycles run at a roughly steady pace, with infrequent spikes), but large amounts of fast, significant change are difficult or even impossible to cope with.
Even if many of us are not yet using the term “4IR” (as the concept has become known), we have all come across one of its core concepts: the Internet of Things, or IoT. IoT devices are generally inexpensive and require little or no technical expertise to deploy, and the security design and implementation of IoT is often lacking. Exploitation of IoT vulnerabilities via attacks such as the Mirai botnet shows the prevalence of the problem, and with estimates suggesting that by the end of 2020 there will be upwards of 50 million IoT devices on the serve only to make the problem a bigger concern. (Aside: there is perhaps also something to read into the fact that “Mirai” translates literally as “future”).
The primary demands of the 4IR on cyber security are threefold.
- Rate of innovation and development
We have already noted that disruption is the enemy of security, as there is inherently a race for security to keep up with development. Even in a traditional, incremental development scenario it can be a struggle to push security considerations toward the top of the requirements stack, and this problem is magnified when completely new concepts are being introduced faster than ever before. Techniques such as DevSecOps can make a difference when building and deploying innovative technology, by involving the security teams throughout development, but there is still the need to ensure corners are not cut in the interests of time to market or cost – which is particularly difficult in a high-volume, low-margin, first-to-market-wins IoT world.
The amount of technology in use around the world never decreases. Where sales growth in one field slows (for example physical server sales), it accelerates in another (such as the cloud offerings of Amazon, Google and Microsoft). Security tools have to keep pace with this up-scaling of demand, and although the complexity of such scalability is lower than that of coping with innovation and disruption, it is still significant.
- Lack of determinism
Artificial Intelligence (AI) and Machine Learning (ML) are a major threat to traditional security techniques, because they blur the meaning of “correct” configuration.
When security began to be a concern, and the first products appeared on the market under the name “firewall”, they were very basic devices – generally not much more than simple packet filters that blocked or permitted traffic based on source, destination and service type. Auditing firewall settings was very straightforward, as one simply compared the design (and any subsequent approved changes) with the configuration of the device.
Although firewalls’ functionality grew in line with the processing technology on which they were built (that is, a faster processor allowed more functionality to be built in) the result was really only a more complex filtering tool doing more complex analysis (such as inspecting the content of traffic streams and identifying application-level attacks such as SQL Injection). The introduction of Intrusion Prevention Systems (IPS) was a step-change, as it enabled the security systems to be configured not just to identify rogue traffic streams and refuse to pass them through, but also to take proactive steps to stem an attack – for example, by shutting down a network interface on a network device. Auditing such systems was still quite straightforward, though: the configuration could be compared with the documentation as before.
With the introduction of AI and ML, however, we will be relying on the systems to take their own “decisions” on how to behave in each scenario. Although we will continue to configure some elements of the systems, there will be instances in which the decision of what will happen in a given scenario will be impossible to audit against a designed outcome – and one may well find different responses to the same scenario at different times because of what the infrastructure has “learned” between occurrences. For the first time, the configuration of our devices will, in part, be something for which we do not play a part in the design.
Configuration gives way to behaviour
We can expect, then, to have to look more toward behaviour than toward configuration – because although the range of vulnerabilities and attacks will explode with the 4IR, the range of potential outcomes of those vulnerabilities and attacks will grow less quickly. For example, if the number of vulnerabilities that can be exploited to commit a Distributed Denial of Service attack doubles, the number of outcomes remains at one – the victim experiences a DDoS attack.
While the security vendors will of course be obliged to make their equipment faster and give it more features, we as the security teams will move to a world where we examine the outcomes rather than the configuration. And it is in this area that the security vendors need to focus in order to ensure we remain capable of identifying attacks and defending ourselves against them.