As the world becomes more digitally interconnected, maintaining cyber security will become more difficult. Digital tools are increasingly being connected to physical infrastructure, and properly securing the critical systems that result is essential. Organizations will have to make use of machine learning and artificial intelligence in order to better measure and report cyber risk, as they confront issues associated with the proliferation devices powering smart cities and the Internet of Things.
This briefing is based on the views of a wide range of experts from the World Economic Forum’s Expert Network and is curated in partnership with Benjamin Fung, Canada Research Chair in Data Mining for Cybersecurity, Associate Professor, School of Information Studies, McGill University.
Too little data is being anonymized, and too much is being put at risk
The number of payments made by card on the internet is expected to more than double worldwide between 2016 and 2022 (reaching 70 billion), according to research firm RBR. As the use of the internet, smart appliances, sophisticated mobile computing, and biometric data has increased, so have concerns about privacy and security. Calls to abridge privacy in the name of better security must be countered with solutions that strengthen both – and still manage to create a climate conducive to economic growth. Rules for data sharing, for example, must be transparent, incentivize all parties to adhere to them, and ensure privacy protection. The most pressing related challenges revolve around the transmission of personal data. Data collection has become a consistent part of everyday life, and a part of every electronic transaction. European regulators, for example, are seeking to address related issues with the General Data Protection Regulation, being implemented in 2018. That and other legal efforts come as people are not only paying more by card on websites, they are also increasingly paying through their mobile device – a machine loaded with personal information. According to the research firm eMarketer, in 2018 the percentage of all smartphone users aged 14 or older who are making a proximity mobile payment, where payment with a phone is made at an in-store terminal, will reach nearly 35%.
Currently, there is often a trade-off between the privacy afforded to individuals and the related information made available to researchers. However, simply removing personal attributes from a data set, for example, does not adequately protect privacy. In 2015, researchers from MIT, Rutgers, and Aarhus University in Denmark published a study in Science that used a set of financial data related to more than one million people, to show that simply using four pieces of anonymized data was enough to identify 90% of the individuals in the set. With data theft becoming increasingly common (notable recent cases include the theft of user information from Yahoo, and from the credit reporting agency Equifax), more must be done to protect individual privacy. In the age of big data, methods of quantifiably reducing the risk of re-identification must be developed, and agreed upon at both the commercial and government levels.
Delusion and a lack of international accords can exacerbate cyber vulnerability
While the internet began as military technology, cyber warfare is actually a relatively new concept – with which few people have any experience. Cyberspace has become a fifth dimension of warfare, in addition to land, sea, air, and space; countries should therefore prepare accordingly, by establishing standard procedures for defending against, and recovering from, related attacks. Small-scale cyber warfare is already occurring on a daily basis. The American and British governments, for example, issued statements in early 2018 blaming the Russian government for the “NotPetya” cyber-attack, which they said was intended to de-stabilize Ukraine. And, the United Kingdom has disclosed that it used its cyber capabilities as part of a military campaign to disrupt the online propaganda efforts of the Islamic State in 2017. By using so-called white hat hacking teams to test system security, countries can more proactively fortify; they should also carefully monitor the human element of their security, which can be exploited through social engineering. Most cyberattacks take advantage of human error by using tools such as phishing emails, according to a report published in 2018 by security firm Proofpoint.
Countries are vulnerable to attacks that target strategic assets and infrastructure, and disrupt internet traffic, as a means to create unrest. These threats are exacerbated by a lack of international agreements that govern cyber war, and establish rules for digital combat. As a result, the targets of nation-sponsored cyberattacks are not limited to the agencies of counterpart governments, and instead include private entities, like electric utilities – which are often not adequately equipped. In February 2018, United Nations Secretary General Antonio Guterres called for the establishment of global rules governing cyber warfare, in order to minimize the potential impact on civilians. Guterres said it is unclear how the Geneva Conventions, for example, which have long been looked to in order to regulate armed conflict, apply to cyber war. Some frameworks that have been implemented, such as the Wassenaar Arrangement, established in 1996 to control the export of arms, have had an unintended and adverse impact by making it difficult for cyber security researchers to conduct their work. For now, governments will have to largely rely on good habits like the regular monitoring of their national security assets, and on tools such as so-called honeypots – which leave seemingly sensitive data exposed in order to draw in and identify would-be attackers.
Security of Things
Thoughtful device design and communication can foster improved security
The so-called Internet of Things ties everything together, from our cars to our phones, to our medical devices and our houses, through internet connectivity. As devices more deeply penetrate our lives, we face new privacy and security vulnerabilities. With so much data being created, transferred and analysed, questions about consumer consent, compensation, and hidden costs must be addressed. The research firm Gartner has estimated that the total number of connected “things” will more than double to 20.4 billion by 2020 from 8.4 billion in 2017, while security spending related to the Internet of Things will reach $1.5 billion in 2018, a 28% increase compared with the prior year. The proliferation of related devices brings educational and other benefits, but also creates security concerns and raises ethical questions – such as, for example, to what degree insurance companies should be able to use personal biometric data to calculate premiums, particularly from unconsenting customers. Even Barbie Dolls now collect and analyse data. In 2015, the toy company Mattel released a Wi-Fi connected “Hello Barbie” doll that uses speech-recognition software and progressive learning features to “talk.”
As developers have sought to meet the growing demand for the Internet of Things, they have failed to adequately provide security and protect customer privacy. This will become an immense problem, as manufacturers depend on accurate shipping information, militaries depend on maintaining full control of armed drones, and patients depend on properly functioning, wireless insulin pumps. All could put privacy, money and lives at risk. When it comes to privacy, for example, the rules governing how customers can be treated by companies, based on personal characteristics, need to be more clearly defined; clear consent, information, and possibly even compensation should be exchanged. In terms of manufacturing, privacy and security must be implemented as fundamental features, as devices are designed. In 2016, Dyn, one of a number of DNS providers that enable the basic infrastructure of the internet, was attacked by thousands of compromised Internet of Things devices – resulting in downtime for many major websites in Europe and North America. Not only was this attack massive in terms of scale and impact, it was also notable for the ease with which it was mounted, as it only utilized a fraction of the total number of devices that had been compromised.
Source:- Strategic Intelligence