Dan Geer: Cybersecurity is 'paramount national security risk'
The cybersecurity futurist gave a sobering look at what is likely to come in a world where change and growing interdependence is happening faster than anyone’s ability to manage it
Dan Geer probably wouldn't call himself a prophet. But he may come about as close to it as anyone in IT security. And his view is that while current trends in the online world are not necessarily irreversible, they are headed in a dystopian direction.
Geer, CISO at the venture capital firm In-Q-Tel, who gave the closing keynote at SOURCE Boston 2017 this past week, even cited a New Testament prophecy early on – I Corinthians 13:12: "For now we see through a glass, darkly; but then face to face: now I know in part; but then shall I know even as also I am known.”
But while he doesn’t claim prophet status, he is all about predictions. “The future is once and always the topic for any security talk,” he said, because, “cybersecurity and the future of humanity are conjoined now.”
Also because while geologic evolution can take millions of years, the cyber world is evolving, as he put it with significant understatement, “at a faster clock rate.”
Making predictions is practically universal – humans are hard-wired to make them, he said, quoting neuroscientist and engineer Jeff Hawkins, who called them, “the primary function of the neo-cortex, and the foundation of intelligence.”
But making them also requires an element of humility, he said, taking a line from novelist Warren Ellis: “I try not to get involved in the business of prediction. It's a quick way to look like an idiot.”
“Nevertheless,” Geer said, “I will now make some predictions.”
He made a lot of them – more than two dozen. Not the Alvin Toffler “Future Shock” type, but the kind that forecast the logical consequences of what is happening in the present. And they came across as through the glass clearly, not darkly.
Geer’s glimpses into the future included:
- Cyberinsecurity is and will remain the paramount national security risk.
- Mutual Assured Destruction, of the kind demonstrated by the Stuxnet attack on the Iranian nuclear program, won’t work the way it did with nuclear weapons. “The reason is attribution,” he said. “While intercontinental ballistic missiles have a visible flight path and a limited number of launch-capable governments, offensive software has neither.”
- Just as a public safety argument led to a mandate for continuous geocoding of mobile phones, a public safety argument will mandate geocoding of the internet.
- Major nation states will prevent products of other nation states from being used in some parts of what they consider their critical infrastructure. “Industrial espionage will thus rise in importance to nation states, as if it were not high enough already,” he said.
- Pre-deployment of cyber weaponry in otherwise non-military positions – devices, networks, etc. – is all but certain. Much of that will be for denial of information services, “but is likely to expand into disinformation as soon as sensors assume a place in the critical path for autonomous devices.”
- The most significant cybercrime rings “will continue to operate from a small number of sovereign jurisdictions where they enjoy tolerance, if not revenue sharing.”
- Cyber attack detection using behavioral techniques – anomaly detection against long-term norms – “will be used with greater vigor, but with immense side effects.”
- It will be “seductive” to turn over decision-making to machines, but it won’t be safe unless such systems will let humans override the machines. That will require maintaining, “the conditions for operating without that delegation.
“Except at the level of especially sentient cybersecurity practitioners such as some of you, this lesson will be learned the hard way,” he said.
- The characteristics of financial high-frequency trading – rapid-fire decision making by self-modifying algorithms – will begin to appear in other domains including government.
- The skills shortage in cybersecurity will not be solved. The 1 percent – the half-dozen enterprises able to pay any price for talent – will get all or most of that talent. Government won’t be part of that 1 percent.
- Because most critical infrastructure in Western societies is privately owned, governments will “deputize” them, willingly or not, to do things in the service of national security.
“This was, of course, the story around telephone records at AT&T, et al., and will be the story soon enough around cloud computing and data handlers,” he said.
- End-User License Agreements (EULA), most of which deny any liability for damage cause by a product, “will be effectively challenged as soon as a suitable crisis appears. Autonomous vehicles may be where such challenges draw their first blood.”
- The cybersecurity industry is in no danger of collapse, because there will always be more to do than can be done. “Cybersecurity as a formal science will remain a goal and not an accomplishment,” he said.
And if all those (and others) were not unsettling enough, Geer gave multiple examples that the future is now when it comes to pervasive surveillance and the loss of individual privacy, and that the tools to enable it are as prevalent in the private sector as the public.
“As anyone knows, what the government and only the government has today, the rich will have tomorrow,” he said. “What the rich have tomorrow the lumpen digitariat will have the day after tomorrow – and that is within a now-established precedent that general public use removes any prohibitions on use by government or other institutions.”
So, from facial recognition to motion sensors, to electromagnetic pulses from the heart, to microwaves, to Bluetooth signals, to omnipresent Wi-Fi routers, “what is fair game to observe is independent of wavelength – I have every power to capture what you emanate,” he said.
This, plus the continuing explosive growth of the Internet of Things (IoT) means that, “interdependence within society is today absolutely centered on the internet beyond all other dependencies excepting climate,” he said, “and the internet has a time rate of change five orders of magnitude faster.
“Remember, something becomes a ‘critical infrastructure’ as soon as it is widely enough adopted; adoption is the gateway drug to criticality,” he said.
That leaves the industry with two stark choices. “Either we damp down the rate of change, slowing it enough to give prediction operational validity, or we purposely increase unpredictability so that the opposition's targeting exercise grows too hard for them to do.
“In the former, we give up many and various sorts of progress. In the latter, we give up many and various sorts of freedom, as it would be the machines then in charge, not us. “Either way, the conjoining is irreversible,” he said, telling his audience of cybersecurity professionals that, “you have not picked a career. You have picked a crusade.”