Cybersecurity is frustrating. It’s frustrating not just to practice and implement, but also frustrating to talk about, write about, and discuss. Talking about cybersecurity with designers, engineers, and even IT professionals – particularly those excited about IoT – can feel akin to trying to tell a lifelong friend to quit smoking. The larger engineering community takes a view on cybersecurity not unlike how a patient with a chronic illness might look at a doctor’s appointment. No matter how bad the problem gets, there’s always a part of you that can look in the mirror and tell yourself you’ll always have tomorrow to deal with it.
Even in the face of bold evidence – the Mirai malware, the Target hack, the Sony leaks, the Equifax hack, ect. – showing us on a regular basis how woefully inadequate our systems of protection are, even with NATO officially recognizing cyberspace as a domain of operations – a potential realm of warfare right alongside land, sea, and air…we still look at cybersecurity and impose the same rationale that lets us watch the horrors of the 10 o’clock news and sleep like babies – “It won’t happen to me.”
And yet we keep talking about it. Not because we necessarily want to, but because we have to. Because the people developing IoT technologies have a responsibility, and they must be made to listen. Because someday, very soon, our lives will depend on it.
Perhaps this is why Arm decided to make cybersecurity the centerpiece of discussion at the 2017 Arm Techcon. The company has even gone as far as to release a security manifesto , outlining its commitment to cybersecurity in IoT.
Between several keynotes and panels, all offering warnings and possible solutions to the potential cybersecurity crisis we will face as IoT devices proliferate, it may have been easy for any first-time attendee to assume Arm TechCon was a cybersecurity conference.
Abraham Maslow, the founder of humanistic psychology, believed humans functioned on a pyramidal hierarchy of needs. At the bottom are physiological needs like food and wood, then comes safety and shelter. Only once the basest needs are met can humans hope to attain higher needs; love, self-esteem, and eventually some form of enlightenment, which Maslow dubbed self-actualization.
In a conference keynote, Dipesh Patel, President of the IoT Services Group at Arm, said that IoT has its own hierarchy of needs, with security being one of the most basic needs. “Security must be a first-class citizen,” Patel said, saying that security, along with simplicity and scalability, will be an absolute necessity for IoT to proliferate. “For IoT to scale we have to make it very easy to be created, deployed, and managed through it’s lifecycle,” he said. Naturally, Patel espoused the virtues of Arm’s own products and initiatives in delivering on all of this – particularly its Mbed platform for developing IoT products and its new Platform Security Architecture (PSA) , a proposed framework, based on industry best practices, for building secure IoT devices.
Masayoshi Son, CEO of Arm’s parent company, Softbank, has pledged the lofty goal of having one trillion IoT sensors deployed in the world by 2035. It’s certainly an exciting idea in terms of having so much technology integrated into our daily lives, but noted technology journalist Stacey Higginbotham told an audience at her own keynote that even considering such a thing also forces us to re-examine our very relationship with technology and how we create it.
How do you secure a trillion anything? Higginbotham asked, adding that she believed even PSA doesn’t go far enough. For Higginbotham a trillion devices isn’t just a massive distribution of technology, it’s an ecosystem, man-made rather than natural, but still just as deep and complex as any forest, jungle, or desert on Earth. As such she believes we will have to think about IoT in the same way we think about the natural world – as a complex, dynamic system that is always around us and always working. “IoT is much more intrusive, but also much more invisible” she said. “So we have to guide this ecosystem in the direction that we want.”
Higginbotham suggested that old models of security aren’t working. And even the hacks we worry about today are old school and not native to the trillion-sensor world we’re headed toward. New technology like IoT means new hacks, things like bad data. Higginbotham shared a story of a client of her’s who runs a farm that uses soil moisture sensors to tell when crops needed to be watered. A malicious individual was able to spoof a soil sensor, telling the system an area was dry, leading to excessive watering that resulted in the farmer being fined for overusing water. Right now we teach computers in terms of if/then (if the soil is dry, then water it), but we need to teach computers about lying and how to recognize when they’re being lied to.
More Sensors, More Problems
A radical new world, where IoT sensors outnumber humans by nearly 1,000 to one, is going to require radical new solutions for security. In a Arm TechCon session on “Brokering of IoT Identities,” Ben Smeets a Senior Expert in Trusted Computing at Ericsson, proposed blockchain, the underlying technology behind Bitcoin, as a solution to IoT security. Rather then relying on new systems of centralized security, Smeets proposed using blockchain’s distributed ledger for the purposes of authentication. The concept makes sense. Why should a distributed network of sensors, all likely using different protocols and standards have to rely on a centralized form of security? Ericsson partnered with Arm and demonstrated a proof-of-concept of this idea at Mobile World Congress 2017.
For Higginbotham another solution involves rethinking how engineers, and everyone else, codes. “The idea of forcing everyone to learn to code to live in the IoT world is insane,” she said. As more and more devices interact it will only require increasingly complex coding and all of that added complexity will come with a higher risk for glitches and bugs that would be like welcome mats to hackers. More devices will mean a greater need for automation, and that means a greater need to make coding less difficult. The question then is can designers and engineers model systems dynamic enough that any engineer can use them…that will allow us to rely on computers, but also maintain a measure of control?
And all of those seeking solutions may be ignoring the biggest cybersecurity threat to IoT – humans themselves. In her keynote cybersecurity consultant and, founder of the cybersecurity website Cyber.uk, Jessica Barker , told Arm TechCon attendees that cybersecurity is really all about people. All of the hardware- and software-based security measures in the world won’t be enough to safeguard against the social engineering hacks that target people – employees of companies who can be tricked via fake emails, phone calls, social media, or other methods into doing the criminals’ work of illegally accessing a system or device for them.
In an interview with Design News Barker noted that sometimes targeting people can even be the easiest method into a system. “One of the cheapest and most effective ways to target an organization is to target its people. Attackers use psychological tricks that have been used throughout mankind,” Barker said. “Using the Internet, con tricks can be carried out on a large scale. The criminals do reconnaissance to find out about targets over email. Then they effectively take advantage of key human traits.”
Here and Now vs. Tomorrow
For Maslow our current state of wellbeing, our quality of mental health, was easily reflected by our position on the hierarchy of needs. Negative traits, neuroses, and disorders can be traced back to your desire or want for a particular need on the hierarchy. Humanistic psychology emphasizes free will and self-determination, making each individual responsible for his or her own well being and journey toward actualization. In the humanistic sense, the psychologist’s job is to point these truths out to the individual so that they can take the best course of action for themselves. Of course, doing this requires the individual to have a level of maturity that makes them capable of self examination.
Taking this perspective, perhaps IoT hasn’t matured to the point where its aches and pains can easily be diagnosed. Maybe we can’t diagnose the security issues because they haven’t become prominent enough yet? Perhaps IoT is still in its infancy and its real issues won’t be clear until adolescence?
But can engineers afford to wait? Humanistic psychologists tend to emphasize the here and now, addressing needs as they manifest in the present. But if IoT isn’t concerned with the future it will likely find that a trillion unsecured devices is too big of a problem to solve by the time it gets there. “Adapting to this world is going to take time, but we have to do it and in a way that respects human creative the dynamic of computers,” Higginbotham said.
But even knowing all of this one has to wonder if there is anyone out there listening. If so, are they going to do anything before it’s too late?