What's the next challenge for cyber security?

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.theguardian.com/higher-education-network/coventry-university-partner-zone/2015/nov/12/whats-the-next-challenge-for-cyber-security

Not a week goes by without hearing a story about a successful cyber attack
compromising a critical system, hacking into a car, or a personal data
breach. Script kiddies, online fraudsters, state-sponsored hackers all
abound. Recent repeated attacks on TalkTalk and Sony show that we do not
learn from the past. It appears things are broken and they remain so. Where
are we headed?

We live in an age where everything around us is increasingly digital,
connected and increasingly has a mind of its own . Modern systems are a mix
of complex software (often millions line of computer code), hard physical
components as well as software parts, and human-driven social networks
enabled through some digital fabric. They are to be found in traditional
domains such as cyberspace, finance and healthcare, but also in emerging
domains including automotive, rail, aviation, energy, and smart cities.
This is a significant departure from how things were a couple of decades
ago.

Over the next decade such systems are expected to feature higher levels of
autonomy; bringing together advances in sensing and intelligent decision
making. And, there are increasing levels of interconnectivity, where
communication is opportunistic and ad hoc. Imagine a smart city where
connected autonomous cars are able to talk to each other and their
surroundings to be aware of traffic routes, road works and safety hazards.
Based on real-time information, such cars may then decide on how fast to
drive and where to park. And now imagine what would happen if some part of
this “system of systems” was hacked!

The notion of “systems security” aims to address security, privacy and
resilience properties in such systems. Acknowledging this requires a mix of
technology, policy and behaviour. The case for security and privacy is made
given the growing threat landscape. This is due to both targeted attacks
aimed at data and operational compromise, and implications of the use and
design of the software leading to security violations. Resilience is
equally important if systems are to continue to work despite of some
compromise.

There has to be a push towards building systems so that security is
factored in by design. This is not an easy challenge however.

The computer science community has long been working on methods for
rigorous design of digital systems. Such design and development needs to
acknowledge some parts of a system may not be relied upon for security. A
modern car may have several Engine Control Units (ECUs) that are
interconnected and controlling various aspects from bluetooth to brakes.
What happens if hacking through the bluetooth affects the brakes?

Policy is equally important as technology does not exist in a vacuum.
Issues of ownership, governance, liability and risk all affect our use of
technology as does the technical design itself. If a modern car is hacked
to cause the brakes to fail, who is responsible? Manufacturer or the driver?

Academia, industry and the government is increasingly aware of this and
need to come together to address these technology and policy mechanisms.
Industry trends and policy discourse is also catching up. There is however
a need to bring together stakeholders to help a clearer view of what the
specific challenges are and how can they be overcome.

Enabling various stakeholders in the supply chain to address the above
through research, innovation and knowledge transfer would remain a
challenge.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!