By Ewa Pasewicz
"We cannot solve our problems with the same thinking we used when we created them"
Envisioning Security: A Post-apocalyptic Lesson from Reality
What do we call someone who keeps repeating the same mistakes? Is there any regularity in which the topic of "Security" appears throughout history? Are there any answers in antiquated systems that could shed light on current security challenges, globally?
Please allow me to start sharing with you extremely interesting information from Europe, my little corner of the world. Just two months ago, at the annual Cybersecurity Conference in Athens, it was re-announced, at the EU level that the government of Europe is strengthening its commitment to opening and supporting a new security market. As one headline put it: "The rise of AI technologies requires a new dialogue and awareness of the related cybersecurity challenges."
Interestingly, Steven Wilson, Head of Europol's European Cybercrime Centre, also threw his voice into this battle cry: "The importance of the Internet of Things (IoF) and Artificial Intelligence (AI) has become undeniable, as these technologies have the potential to help us respond to societal challenges while making our lives more efficient. Both the public and private sector are devoting significant efforts to maximize the opportunities of these developments."
It is becoming clear that the EU government, on its level, observes and is also in agreement with the need for government to coordinate with business. And, in light of these emerging technologies, it is especially important to business that government is now highlighting its commitment to the context of security within these recent advancements in technology's reach, power, and efficiency; three areas that are typically vulnerable in their fledgling stages of design.
This is the best time to engage in the important work of Envisioning, as we all look to how we can support the introduction of security into these early phases of software development aimed at enhancing security for our networks and communication. Envisioning, in the context of security, represents a conceptual shift from deployment to design. And this is the perfect timing for security-minded experts to be involved in the birthing of new technology domains such as AI or IoT. Security modeling should play a critical role in the earliest stages of reengineering software in this case. In support of this, it is also valuable to recall classical historic cases, as a clear example of the cost of adding security remedially, after the apocalypse, instead of doing the hard work of engineering security into the conceptual foundation of mission-critical solutions.
Once upon a time on October 29, 1969, ARPANET (Advanced Research Projects Agency Network, originally funded by the U.S. Department of Defense) transmitted its first message: a "node-to-node" communication from one computer to another. The first computer was located in a research lab at UCLA and the second was at Stanford; each one was the size of a small house. The message: "login" was short and simple, but it crashed the fledgling ARPA network anyway: The Stanford computer only received the note's first two letters. Further scientific teams joined the network. Their initial intentions were pure and innocent -- a friend sends information to a friend. And this idyllic atmosphere contextualized the creation of the TCP/IP protocol, a communications model that set standards for how data could be transmitted between multiple networks to this day. The earliest assumptions downplayed the now all-too-obvious fact that not all initiators of transmissions on the network are equally pure and innocent. Today, the global security market has a forecasted value, according to Gartner, Inc., of $124 billion for 2019, with an upward trend to $170.4 billion in 2022. So, enough said about innocence.
From its inception to this very day, the greatest philosophical question the web asks of us remains the same: Are we spiders or are we flies? From the perspective of the fly, the web, with all of its powerful connecting features, is an attractive space for prospective consumers to pursue their individual interests, despite the inherent risks. This is because it is entirely unnatural for flies to manage the definition and design of the web. It is natural for the fly to take the web for granted. For the spider, however, the web, itself, is the creative result of an intuitively unfolding strategy, of a presciently meticulous plan, and of an organically designed infrastructure that grows more aware, daily, of both its environment as well as its content. But, the spider realizes success by focusing attention first on the context of the web, and then, trusting in a well-designed and properly functioning web, to focus on stabilizing the traffic for which it was ultimately constructed. Equally as naturally, when traffic patterns grow, so does the web, thereby expanding its efficiency and, therefore, its productivity. During these phases of expansion, and always as a necessary response to both quantitative and qualitative environmental changes, the spider adapts the web's angles and directions, always making sure to fortify those points of connection that redefine and establish, anew, the web's relationship to its own expanding environment. By prioritizing efforts towards environmental stabilization, the spider inevitably develops a stronger intimacy with the web's growing population of consumers. Despite their contrasting roles, spiders and flies remain in constant communication if the spider is smart enough to constantly monitor the signals it detects on the web that are generated by the activity of the web's users. The spider then passes on to future generations this intimate knowledge of the general culture of its users, and in this manner does the web evolve to better interact with its environment. The spider shows us how to erect monumental edifices while avoiding crisis-oriented, reactionary expansion. Instead, perpetuating the stability of the web, from a spider's point of view, is its labor of love. Attracting traffic to a stable platform is the work of the web, not the spider. The more a spider focuses on the web, the more traffic the web can stabilize for the spider. As logical as this may now seem from these simple and obvious examples in NatureSpace, our own world wide web clearly illustrates the perils of ignoring these essential lessons in CyberSpace.
Take, for example, ransomware attacks -- the encryption of files on your computer followed by a demand for a ransom in exchange for restoring access to your own files. The increase in the number of harmful threat "innovations" and the emergence of new families is an omen of swelling criminal activity in this area. One such variation on the theme is GandCrab, whose career began in January 2018. The virus quickly gained popularity, taking only a month to infect over 50,000 devices. GandCrab was distributed using fake emails. The victim would download the attachment, open the file and it's ready -- the virus could work. Following the attack, the victim's desktop wallpaper displayed ransom information. Admittedly, there were ways to escape payment (decryption tools became available over time), but at least there was a fast and easy way to fulfill the demands of the criminals. And many did just that. GandCrab released their tool on the black market in the service model (RaaS - Ransomware-as-a-Service). They shared the profits with their partners, usually in proportions of 60-40 percent. The profits were impressive. It is estimated that the group made about $150 million, and this was probably only a small shop. The GandCrab family has long been one of the most-used malicious encryption tools -- for over 18 months it remained at the forefront of the ransomware attacks most frequently detected, but even the decrease in its activity did not affect overall threat statistics because there are many other widespread Trojans. The GandCrab case perfectly illustrates how effective ransomware can be: its creators ceased their malicious activity after they claimed they had made a huge amount of money by extorting ransom from their victims. GandCrab is expected to be replaced by new Cybergangs. The "dark side" of the force does have a market and it is seriously worth another billion dollars.
Young, talented people starting their careers in IT face moral dilemmas as difficult as the characters in the Star Wars saga -- which side of the force to choose.
The ongoing IT arms race has unavoidably affected the behavior of users. Just like in the 1950s, civilian exercises in putting on comical masks, making people look like anteaters in a mock nuclear attack were routinely on the agenda. Ultimately, we have become "aware of threats" not by way of preventative education, but because the web, remarkably, carries so many of them, despite billions invested in its security, which, in reality, only attempts to put out the fires that have already been started. Only an organic awareness of security and the behaviors of users will bring about the tipping of the scales to the favor of victory. It's demanding, and above all, unbelievably expensive. Each of us must now understand the meaning and function of an antivirus system, a firewall, a sandbox file quarantine or "phishing." Imagine Salvador Dali having to understand the fertilization, watering, and harvesting of linen for the production of canvas for his paintings!
And here we are talking about only an office network based on the TCP / IP protocol, which is easier to manage because we know our company IT specialist or because we were there when someone was installing internet and cable television in our home. But take, for example, the technical networks servicing nuclear power plants, production lines of industrial plants, refineries, the entire industry, whose coverage according to various sources can be almost 3.5 times as much as the coverage and size of IT networks. These networks and their protocols were all the more designed to operate separated from the outside world to simplify the supervision of the process of opening individual valves for a specified time, so that the fuel delivered in this way met certain volume parameters, or perhaps thermal parameters in the case of a boiler in a power plant, to produce a specified, stable level of energy over time. Technology networks touch far more sensitive aspects of our civilization when compared to simply being unable to send a team update for an hour or a ruined movie night due to a Netflix service interruption for two hours.
Technical networks designed to operate separately are completely defenseless in the event of an attack. Is it even possible to consider any network in today's world as truly separated? We have many cases. One such case is the SCADA (Supervisory Control And Data Acquisition) system. Regardless of whether it is supervising a technical or production process, after upgrading to the new version it suddenly starts downloading weather settings from the cloud server through the tunnel. What kind of separateness in our networking can we expect in the face of such facts if it is possible to access a computer even through the vibrations of a connected speaker membrane? And only a cat can hear this frequency? Are we ready to throw our IT security department to the cats?
What happens, you might ask, when envisioning becomes so fascinated with the vision itself that it neglects the stabilization of its own ideas? You'll have to forgive the spoiler alert, but simply check out Ridley Scott's movie The Terminator. Post-apocalyptic lessons are readily available these days, thanks to our sci-fi visionaries who seem to be so determined to demonstrate this so convincingly and in such a tangible way. The lesson should be learned now, preemptively, before this new revolution on the horizon begins. The only solution is for Security people to participate strategically in the earliest design phases of the technology that will be securing our networks in the future.
And I have the perfect example: The World Wide Web Consortium (W3C) is, effectively, industry experts and government people discussing and planning the future definition of AI and other key technologies. These steps continue to bring us evolving innovations, such as the recent introduction of yet another new language, AIML. This is a good example to discuss. I represent the field as an expert from the security side. Why can't we security people play a part in these early design phases? Here we have a working group of professionals who meet to define the fundamental framework of all of our technologies, present and future. Security people should be integrated into these conversations as early as possible. As we can see, there are clear warnings as well as wise directives available to teach us how not to repeat the past and avoid deploying yet another apocalypse.
"May you live in interesting times!" This well-known Chinese curse was publicized around the world in 2008, in the midst of the global crisis. And, are we now really, with respect to the AI and IoF revolution, in a position in history comparable to the beginnings of the Internet? Has it already started? Is it just now beginning? Is this an organic feature of the human race, to progress technologically at all costs, underestimating the consequences of neglecting the security layer at the earliest stages of design? Can we learn a few lessons from our very own post-apocalyptic stories?
Evidence of the EU's intentions remains to be seen, and specifically in these two technology domains that, in fact, represent two omens of potentially dangerous apocalyptic experiences happening again in the next few years. On the precipice of these two IoT and AI emerging technologies, where is the conversation about envisioning security in their earliest design stages?
Are we an apocalyptic culture? That's what IT has been from the time of its birth. Our duty now is to replace this culture with one that celebrates inherent strategy.
The two concepts we find in the world of medicine are "remedy" and "prevention." Here in the west we usually wait for the problem to emerge, for the illness to manifest itself, and then we go see a "professional" who provides us with the correct magic pill. Within a short time the symptoms of our illness subside and we go about imagining ourselves to be living in a consistent state of health until, of course, the next illness presents itself with its own attendant symptoms. On the other hand, many years ago when the Hindu Rishis gave us the wisdom of the cosmos, they prescribed Ayurveda, a far more effective and systemic approach to health based on prevention. It's all about the timing of the action. On the one hand, we can decide to wait and use medicine to remedy a problem that almost always surprisingly stops us in our tracks and demands our immediate, unplanned crisis-oriented remedy. On the other hand, we can simply decide, like a spider, that the web needs to be built with a much higher degree of engineered intention. Then we are not simply waiting for the illness because we are too busy practicing prevention. Instead of building medicine, we are building a culture of prevention.
I hope that this traditional remedy mentality is where IT was, where it was born but not how it will mature going into our shared technological future. We can borrow from the wisdom of the ancient ayurvedic healing system. We see, already, security-oriented engineers are entering the earliest stages of the foundational development of technologies like AI or IoT. It is in our future to prevent the next apocalyptic culture.
Security should not continue to be a potential remedy to a potential problem. Rather, security should espouse a philosophy of prevention in the engineering of software, especially in the engineering domains of software in relation to AI or IoT. The conversation, in fact, should, of necessity, include security from the root to the roof. The web is not a collection of cables competing for your traffic. It is an expanding idea being woven together in the dreams of spiders.
Ewa (Eve) Pasewicz
Co-Owner at Causeway BTI,
LBTechX1 at Harvard University,
Member of Women in Technology International (WITI)
Ewa is a strong business development professional with a master's degree focused in Quantitative methods and information systems in economy, from Warsaw School of Economics and Launching Breakthrough Technologies at Harvard University. Her extensive experience and knowledge acquired during the implementation of many EU and international projects in the field of IT, translates into a unique ability to effectively match the offered product solutions to the market needs and its institutions. Ewa has delivered a series of speeches as an expert at prestigious conferences and she is the author of many publications (especially in the financial sector, prepared in cooperation with the Polish Bank Association) and cyber security.
Are you interested in boosting your career, personal development, networking, and giving back? If so, WITI is the place for you! Become a WITI Member and receive exclusive access to attend our WITI members-only events, webinars, online coaching circles, find mentorship opportunities (become a mentor; find a mentor), and more!
Founded in 1989, WITI (Women in Technology International) is committed to empowering innovators, inspiring future generations and building inclusive cultures, worldwide. WITI is redefining the way women and men collaborate to drive innovation and business growth and is helping corporate partners create and foster gender inclusive cultures. A leading authority of women in technology and business, WITI has been advocating and recognizing women's contributions in the industry for more than 30 years.