As products and networks become more sophisticated and stable, it seems the hackers and saboteurs are proliferating at an alarming rate and getting better at what they do. Perhaps it’s just a function of the ubiquity of digital devices along with greater rewards for those looking to hijack them, but it’s getting worse rather than better.
In the “Emerging Cyber Threats Report 2015” (ECT report), the Georgia Tech Information Security Center (GTISC) and the Georgia Tech Research Institute (GTRI) point to the cloud and the expanding Internet of Things (IoT) as environments that will make us more productive and more vulnerable. The report also notes that mobile devices are falling under in- creasing attack, and the age-old issue of trust—between users and their machines, in employees, and in outsiders intent on social engineering—hasn’t gone away.
Recent shocks to the system that highlight existing vulnerabilities include the massive hacks of customer databases at Target, Home Depot, and JPMorgan Chase; the 60 Minutes televised demonstration of how to hack and control a modern car; and, of course, former contractor Edward Snowden’s release of documents exposing the reach of the U.S. National Security Agency’s surveillance programs.
The ECT report discusses several inherent problems with surveillance by governments. Advanced technologies enable the surveillance, and current law requires the cooperation of large online companies. But the government is required to secure its citizens, gather the intelligence to do that, and, at the same time, protect the privacy of its citizens. The report points out that, regrettably, the policies needed to balance all three requirements aren’t in place.
As a result, we have the backlash produced by the Snowden revelations, and the likelihood that the European Union’s privacy rules will continue to “set the privacy agenda for U.S.-based companies.” Encryption could be the ultimate solution to the problem, but “governments continue to resist its deployment, fearing an inability to gather evidence.” That hasn’t hindered innovative technologies that use encryption in products like the Blackphone from SilentCircle.com, which guarantees private (encrypted) “silent phone” and “silent text,” and encrypted e-mail programs like Hushmail, VaultletMail, and Enigmail.
The ECT report suggests the ultimate solution will come from a combination of good privacy policies and encryption.
Internet of Things
The trust issues aren’t limited to the relationship between individuals and governments. There are also problems with machines sharing data with each other in the emerging Internet of Things. If the wirelessly connected Nest thermostat in your home doesn’t recognize that the signal to turn up your heat on a blistering August day actually came from the kid down the block who hacked into your network, that’s a problem. A bigger problem might involve your security network at home, your car’s braking system, or the built-in camera or microphone on your laptop listening to untrustworthy computers.
The ECT report predicts: “As machines make more decisions on behalf of the user, attackers will aim to exploit the web of trust between these systems.” And the number of interconnections between devices is expected to grow from 15 billion connections this year to 50 billion by 2020. That’s quite a few vulnerability points to secure. Margaret Loper, a chief researcher at the GTRI, explains: “In the Internet of Things world, there are machines coming and going, so it is going to be much more dynamic. These devices are going to have to continuously assess each other to figure out what to trust, and like humans, they may start off with a level of trust that will change over time.” Georgia Tech has initiated research in this area in a project called The Machine-to-Machine Trust Framework, and the problems are unique. Loper explains, “Many of the ways that we determine trust—such as body language—machines don’t have.”
On the whole, though, we aren’t losing our place. The ECT report reassures us that “humans remain the link most often exploited in attacks.” Whether that’s a user hooked by a phishing attack or a rogue insider opening a hidden backdoor, we’re still the most vulnerable point of attack.
April 2015