The cybersecurity arms race
By Dustin Brewer
The patriotic British song Rule Britannia exclaims the nation’s pride in its strong navy – the force that enabled it to secure profitable trade routes and a create pan-global empire. A modern revision will have to switch ships for CPU chips, as computing and technological might mark out this age’s superpowers.
While we revise it, however, we should be conscious that at least one historical comparison can remain intact. Still true, from that age of empire-building, is the idea that power is unevenly shared – largely split between behemoth private companies and nation states, with smaller businesses and individuals carried along in the wash they create. How long it remains true for, is up for debate.
Power in this new, digital world is not only a question simply of who controls the flows of data and information. However, there is an interesting multiplier effect that plays a large role currently in which services are used by which companies (AWS, Google, etc.,) – the organisations who control the most data will have the most powerful processors to make use of it, providing more value and attracting more customers and their data.
However, as there are such large amounts of data, and so many primary and alternative sources, insights can be drawn by anyone. The future (and its security), it seems, belongs to those with the computing might and the analytical heft to make sense of it all and turn it to their own advantage. The year 2020 will mark a confluence of three themes that will bring this sharply into focus.
Efficiency gains from intelligent tools
While there’s still a thirst for enormous flows of data, it should be recognised that for cybersecurity at least, even tiny amounts can be extremely impactful, if the right tools are used. Very few pieces of information from anonymous data-sets are needed to identify individuals and construct vivid profiles or a “pattern of life“ of them from open-sourced and even social media data. If you own these data sets (say, for instance, through monitoring users’ activity on large ecommerce websites or web-search platforms), then it’s even easier to pull deeply individualised insights from the raw material.
Adding to this are proliferating developments in AI and ML techniques, which can pull crucial information from data sets — completing the profile-building process at blistering speeds. These tools are not restricted to benign individuals or groups, and are becoming very easy to acquire and use – so their offensive capabilities will be felt much more keenly in the coming 12 months.
One key additional note, when discussing data, is privacy. Cybercrime victims are often alerted to the criminal use of their data. But what happens when it’s not a criminal, and the questionable use of data is not so clear-cut? 2020 will mark a growing awareness and debate around corporate and state use of new forms of data, and the extent they use the information we willingly share. Even the U.S. Federal Government is beginning to look at legislation for data privacy.
Headlines about facial recognition in public, “alternative” data used in credit reporting to decide what access to finance we get, and creepy social credit systems already abound. The legal use of these incredibly efficient and intelligent systems to use data for potentially intrusive purposes will be the major debate next year, making it plain that when considering cybersecurity as a whole, the ideological split in what makes a good and bad actor is going to become blurred in places.
Computing power is being democratised – and we need to urgently consider the potential threats and vulnerabilities this creates. Quantum technology is undoubtedly a route to extremely powerful processing capabilities. The major developers in this field are making headlines with each breakthrough – delivering results previously unimagined. This sort of power can have unpredicted consequences when directed at both seemingly responsible or nefarious purposes.
One particular use of quantum technology needs careful examination. Quantum systems may be able to read encrypted software and messages in a matter of hours – eroding the best standard of privacy we have today. At the same time, quantum communications can create messages that are impossible to break into or alter – ultimate security for those who need it, whatever their purpose.
At the same time quantum computing may come with its own unique security flaws and issues. One researcher postulated that quantum computing is impossible due to unknown and uncontrollable variables at the “microscopic level.” While making such a bold statement may cause some to disregard this claim, it should be cause to think about the possibilities of utilizing the unknown for data encryption and security purposes.
This however hasn’t stopped companies and countries from pouring massive amounts of time and money into research and development. China is reportedly spending $10 billion to build a quantum research facility for such purposes. This technology is still in its embryonic stage and needs a period of development before it’s ready for use in governments, corporate or consumer spheres – but it’s crucial to track its progress and ensure it’s being used for humanity’s gain, not harm.
Still, as long as these capabilities are specialised, and the machines expensive enough that they can be kept from the world of cyber-crime, we will be OK. Right? Well, for good or for bad, there have been some (undeniably very impressive) breakthroughs in the last few months, that goes some way towards opening this technology up to the world.
The Quantum Communications Hub has developed chip-scale quantum communications, paving the way for QKD to be integrated into small devices. Microsoft and others are actively promoting quantum algorithms that will run on a classical computer and Amazon is promoting its Braket platform on AWS to get developers and scientists to start experimenting with the technology. 2020 will certainly be a year where these developments in quantum really become widely known, and these questions will become urgent.
Image and reputation still arguably hold just as much power as an organisation’s actual computing clout. Businesses and consumers in some regions are now significantly nervous about a cyber-attack from potential geopolitical adversaries. Often anxieties arise as those businesses or individuals are swept up in a political narrative, sometimes one which overplays attack risks. This nervousness then changes the way businesses, governments and consumers behave.
The default position effect may be seen in the private industry as well, with special relevance when we consider privacy and access to our personal data. Google and Facebook, common targets for attack on this topic, still enjoy valuable custom among huge percentages of the global population. Their dominance (though they’re by no means the only ones) means consumers and businesses have little choice but to engage, placing trust in the companies to keep data safe. In return that data is fuel for the algorithms that allow ever more intrusive and granular targeting of consumers.
The coming year will see serious security challenges presented by all three areas – efficiency from improved analytics, cloud computing power and market momentum – which make challenging the status quo difficult. Whether or not the future will be owned by firms with raw technological might, any defensive or risk-management strategy must heed these global themes, investigate the impact on their organisations and users, and chart a course through.