By Mary Wang. February 20, 2019.
Panelists (left to right): Ari Schwartz – Venable LLP Managing Director of Cyber Security Services (https://www.venable.com); Jen Ellis – Rapid7 Vice President of Community and Public Affairs (https://www.rapid7.com); Sam Curry – Cybereason Chief Product Officer (https://www.cybereason.com); Shane T. Stansbury – Moderator, Duke Law School
What do computers, advanced technology, cybersecurity lawyers, and squirrels have in common? All have an important role to play in cybersecurity risk management, according to the panel discussion hosted by Professor Shane T. Stansbury at the Duke Law School on February 6, 2019.
The three private-sector panelists identified a variety of security risks that businesses, governments, and individuals will face in the coming years. These risks include “second-order chaos,” proliferation of Internet of Things (IoT) devices, and complexity in understanding and remediating hardware and software vulnerabilities at the component level.
Sam Curry defined “second-order chaos” as intelligent, adaptive opponents whose actions will require defenders and owners to consider and counter second- and third-order effects of adversary actions. Activities in the cyber domain will impact physical domains in business, and connecting cyber and law sectors will be required to help counter this type of risk.
Jen Ellis identified IoT as the most interesting area of development, because it bridges the divide between the physical and virtual worlds, will make us think of security in new ways, and will bring automation and technology together in novel ways that connect individual users with technologies in their homes, cars, medical devices, air traffic control towers, and other critical infrastructure components.
Curry summed it up: “Everything that can be connected, will be connected.”
Ellis noted that traditional security meant confidentiality, availability, and integrity of data. Today, “security is more than data; it is safety.” Cyber safety will become increasingly critical because standard cybersecurity issues (like a compromised device) can increasingly result in physical harm or death, which raises the scale and scope of the problems that typically result from cyber insecurity. One group identified four main areas of concern: automotive, medical (though the FDA is pushing pre- and post-market initiatives), critical infrastructure, and home security products.
Ari Schwartz emphasized how important it will be to understand the provenance of each individual component of a system to ensure its security. He pondered on how owners would protect individual components that comprise devices, systems, and networks and vulnerabilities of how they work together, especially with the the advent of 5G technology and mesh connections. For attorneys, this will increase the complexity of liability contracts. Ellis added that increasing layers of technologies, where no one has full insight into an enterprise’s IT infrastructure or full understanding of responsibilities for shared services, will also present challenges. She suggested that consumers should be provided a “bill of materials” with a full list of components with known vulnerabilities.
Curry similarly identified two trends with cybersecurity implications: increased specialization within the supply chain (more specialized players and more materials), and globalization. The rate of change is increasing, he said, and cybersecurity professionals will have to revisit terms of goods and services and risk assessments more frequently as a result.
All panelists agreed that law and policy is lagging behind the incredible pace of change and innovation in technology. None of the panelists expected a near-term wave of legislation. Schwartz noted that most security components are currently tied to privacy legislation, and Ellis said she believed that regulation will happen at the state level before the federal government acts, noting California as the current example.
Stansbury prompted the panel to address why the U.S. has not seen more pervasive and consequential attacks against critical infrastructure. Responses included the notion that the threat might be hyper-sensationalized because of fear, uncertainty, and doubt. Other panelists encouraged the audience to consider the goals and motivations of actors who might try to cause infrastructure attacks—a point raised by the President’s former Homeland Security Advisor, Tom Bossert, at an event in fall 2018. Either way, we should expect internet-connected or digital infrastructure to continue to be targeted because doing so is relatively inexpensive and difficult to trace.
Of note is that none of the panelists—in contrast to some of our Cyber Club speakers, like Peter W. Singer—addressed the threat and use of misinformation by adversaries to undermine confidence in democratic institutions (e.g., electoral processes) by planting or amplifying doubt in the minds of U.S. citizens in democratic institutions. Similarly, government and private-sector speakers for the AGS cyber program have recently noted their observations of increased ransomware attacks, which was not raised either.
As for our introduction…what do squirrels have to do with this topic? Panelists noted that some infrastructure outages have not been caused by criminals, nation-states, or terrorists, but rather squirrels with voracious appetites gnawing through wires and cables.
Mary Wang is a first-year majoring in computer science and a member of the Duke Cyber Team.