McCumber’s Magic Cybersecurity 8-Ball

John Hurley, CC BY 4.0 , via Wikimedia Commons

The holiday season for tech writers has started early in the Corona Year.  I was asked to contribute my thoughts on “the future of cybersecurity”.  I am going to get a jump on my cybersecurity colleagues and get those mandatory predictions out there now before the rush.  The custom for making these predictions go back a couple decades as technology writers always scramble for something to write about during the slow-news holiday season.  I could have opted for the standard article tech writers lean on this time of year – dire warnings about online scams and credit card tomfoolery as your mom tries to buy Hallmark ornaments for your Christmas gift.  But allow me to focus on issues far less dramatic, but likely far more import.

Several prognosticators have already touted the coming of a password-less society.  What do you use if not a password?  For most, it’s the use of rich data that can quickly identify a unique individual through an agglomeration of data known about them.  Whether or not this is good or bad depends on your perceptive.  One perspective you are likely safe to ignore are the opinions of tech writers.

We have already been given a glimpse of the no-password future by the widespread adoption of facial-recognition capabilities on mobile phones and other devices. Using extensive and rich data to identify individuals for the purposes of  identification and authorization is rife with privacy and aggregation issues.  Of course, the limited ability to hold multinational businesses such as banks, brokerage houses, and even online retailers accountable may aid in its adoption even if individuals and civil rights organizations protest the change.  National legislation to curb abuses is often thwarted by monopolistic corporations with a global footprint and deep financial reserves.  However, it remains true that the simple username/password format is far easier to implement and administer for the foreseeable future.

Another perennial prediction is that THIS year, we’ll finally have a Congress pass comprehensive cybersecurity legislation. Endeavoring to legislate away cybersecurity problems already has a storied and checkered history.  Using laws to manage technology is akin to using only a rearview mirror to drive a Ferrari.  Laws can only look backwards.  The best laws are simple and focus on principles rather than processes and outcomes.  SOX established and defined processes that should result in the desired outcomes. Our experience shows that has not always been the case.

It wouldn’t be a good annual prediction without a swipe at the technology vendors.  If they didn’t build and sell slap-dash products we would be getting ahead of nefarious activities.  I would argue that the slap-dash nature of security offerings is not the most significant cause in the increasing number and severity of cyber-attacks.  The products and personnel elements of this industry are mostly separate.

Vendors endeavor to automate what were mostly initially human/machine interactions.  But like legislative problems, developing a hardware/software product solution to a security problem relies on being able to replicate both the problem and the solution accurately over applicable technology platforms.  Again, this is using a rearview mirror approach to determine recurring threats and identifying vulnerabilities, followed by automating the remediation. As we continue our lurching progress using what is called either artificial intelligence or machine learning, we will see the security industry attempt to define and thwart malicious behaviors outside our historical experiences: somewhat like a data-driven Minority Report.  One of the wags I like using to explain cloud computing is, there is no “cloud”, there are just other peoples’ computers.  The same correlation applies to artificial intelligence: it’s just someone else’s algorithm.  There is really nothing revolutionary about it.

A key area of unintended consequences of all this will undoubtedly be one of misplaced or purloined trust.  Trust lies at the center of any security environment.  It is used define the enforcement policies of our physical environment as well as coded into our software systems.  As we seek to ascribe value to information and the trustworthiness of individuals, we will without a doubt break some of the long-established rules and policies that have been employed for centuries to protect resources. We have repeatedly attempted to automate systems that enforce long-accepted accounting practices for financial probity.  The headlong rush to move to an AI/ML future ensures many, if not most, will fall victim to our inability to effectively recreate the physical trust environment in a virtual world. Modern slang terms arising around these phenomena include “catfishing” and “gas lighting” among others.  It’s easy to predict such problems will continue for the foreseeable future. 

But that’s just me, and my Magic 8-ball is a little foggy after all these years.