What are cybersecurity professionals talking about? How do companies work to protect systems in an age where it seems like a hacker or other malicious party is around every corner?
Looking at some of the profound challenges that businesses face right now can provide some insight into how companies should circle the wagons. Here are some of the relevant issues for determining how to set up your systems against cyberattacks to protect sensitive information in the digital age.
Dealing with the Attack Surface
Complex systems produce elaborate results – new machine learning tools can deliver all sorts of business intelligence that helps companies to increase capability. However, this also leads to a larger and more complex infrastructure for hackers to work on – professionals talk about the “attack surface” as the total sum of all points vulnerable to cyberattack – and lots of experts talk about how large attack surfaces are hard to secure. There is even the idea that in the future, artificial intelligence (AI) programs will be able to broaden the attack surface and allow hackers more access to systems.
“Unfortunately, current machine-learning models have a large attack surface as they were designed and trained to have good average performance, but not necessarily worst-case performance, which is typically what is sought after from a security perspective,” says Nicolas Papernot, Google PhD Fellow in Security at Pennsylvania State University, as quoted in a GCN article by Karen Epper Hoffman.
The attack surface makes a big difference, which is why security professionals are always trying to shrink it. With newer and more complex systems, that can be a tall order.
Proliferation of Goals
Greater access to automation and artificial intelligence will also increase the number of attack vectors, because so many different actors will have so much access to potentially destructive tools. Some talk about this using the language of “goals” – for instance, in a Harvard Business Review piece, Roman V. Yampolskiy cites Bostrom's “orthogonality thesis” to talk about how an artificial intelligence system can “have any combination of intelligence and goals.” Bostrom’s thesis holds that, despite their intelligence, AI entities will not have a converging focus or nature, but instead, will diversify. This, then, points to the idea that there will be considerable “chaos” around AI handling as AI progresses.
Remarking that goals can be introduced through initial design or later, this author acknowledges the rise of new “U-hack-it” or “make your own cyberattack” systems, for example, ransomware as a service: the idea that hackers can simply download RaaS systems and perform their own ransomware attacks is certainly a scary one. That’s part of what it means to look at the “proliferation of goals” – in other words, a proliferation of opportunities and cyberattack scenarios that never existed before.
The AI “Arms Race”
In a very real sense, the emergence of artificial intelligence is going to be a race between hackers on one hand, and security professionals on the other. Just like prior technologies, for example, as with the power of codebase programming, one side will be looking to invade, and the other side will be looking to repel.
Of course, the white hat community has the same ability to leverage AI, and to do it in agile ways. For instance, there is the story of the father-son team assembling a voice-activated cybersecurity tool called “Havyn” with a Raspberry Pi device in their basement, just like another father and son might assemble a pine box derby car. These “easy innovations” can add brighter outlooks for security. At the same time, though, all of those freelance hackers will be doing their own designs in their own basements, and the result will be an escalating conflict with a very nebulous final outcome.
The internet of things (IoT) is another concept that's great for performance and innovation, but potentially terrible for security. All of these little connected devices will have their own spheres of operations, and potentially, many of them will also be endpoints. Others will be entryways where hackers can get near-edge access and then penetrate a system through some loophole built into the device connection. With infinite connectivity, there will be practically infinite vulnerability.
“With the internet of things every company becomes a technology company, and every company becomes a security company.” says Chris Young, SVP-Security Business Group at Cisco, in a Forbes piece about the state of cybersecurity. Every company is a security company, indeed, because the security necessities are so dire, and so broadly applied.
In the end, all of these new technologies will put more pressure on the security community, which will have to keep up with the times – addressing ever more powerful connectivity lockdown models and ways to keep artificial intelligence-based attacks from overwhelming systems.
To do this, companies need effective cybersecurity platforms. There is a value in having one universal platform with many tools combined, to be able to run a command center against the full spectrum of hacking attempts and cyberattacks. Heather Adkins, Manager of Information Security at Google, puts in her own two cents on resistant design in the same Forbes piece this way:
For the last 20 years we've been playing catch-up to fix operating systems that were designed in the '60s and '70s. We need to rethink that from the ground up. For instance, instead of running lots of different programs and apps, we should have users work with a single interface, like a browser, through which they can do multiple things. That will keep the attack surface smaller: If you have a big castle, it's hard to defend, but if you have a smaller castle, it's easier.
That can be said for an end user OS as well as a cybersecurity command center. Universal console design is one aspect of how new systems can serve those who man the front gates against the floods of attackers roiling around corporate networks. A good security console should have an abundance of microservices, each of which addresses some type of vulnerability and strengthens the security architecture – nothing less will allow companies to develop a robust defense, in a time when they need it most.