Infosec 2040 – Neural Implants Hacked
By Mike Small, senior analyst, Kuppinger Cole
What does the future hold for IT security? That was the question I was asked to address in my talk to the 50th anniversary meeting of the BCS IRMA (Information Risk Management and Assurance) group. Here are some thoughts on the evolution of information security over the next 25 years made with help from the Information Security Group at Royal Holloway.
Making predictions is always difficult and experts are notoriously poor at this. When we make predictions we often look through a mirror at the past rather than through a telescope into the future. Nevertheless history is important because it shows us the mistakes we need to avoid.
Today we are living through the information revolution. This is creating changes in the way we live, work and socialize that are as important as those that occurred during the industrial revolution. Just as then people are losing their jobs to new technologies, new dangers are emerging, and the environment in which we live is being changed. However it takes time for our culture to adapt so, while change brings opportunities, it also creates tensions.
The price of storing data has fallen to the point where it is cheaper to keep data than to delete it. Not only can we collect and store this torrent of data but we also have sophisticated tools capable of analysing it. The advent of the cloud means that these tools are also incredibly cheap and can be used by anyone. We are moving to a world where nothing is ever forgotten and everything that has been recorded can be related.
However most of the technology that is used to process this information was not developed with security as a priority. The business model which has supported this revolution is one where the first to market wins; this has led to a focus on function first and security last. We are now building smart infrastructure that we will depend upon for decades to come using technology that is already vulnerable. Will our cities be held to ransom by this choice in years to come?
Rulers and governments have always wanted to control and monitor communications but now commercial organizations are also amassing data like never before. Which is worse? Criminals and terrorists are exploiting the new technologies to operate more effectively. The torrent of data makes their communications hard to isolate and jurisdictional boundaries provide plenty of places for them to hide.
So how will this change our culture? In this context by culture I mean a common set of ideas, beliefs, and behaviours around the use of information that are expected, reinforced and rewarded. Currently people have expectations of privacy and trust. They expect that information will only be used in the way that will not cause them damage, and that they can trust organizations and their contacts to respect this.
However the volume of data being collected together with the ability to analyse it threatens to overwhelm these expectations to a point where very little will remain private. Will our expectations change towards an obligation of openness rather than one of privacy? Will the people who demand privacy be persecuted like the Luddites of the 19th century or will we find a way to control how this tidal wave of data is used?
Against this backdrop here are some possible information security concerns in the year 2040 in the form of imaginary news items.
Neural Implants hacked – in the early years of the 21st century technology was developed to help the deaf to hear, the blind to see and amputees to walk. This technology provided a connection between the human nervous system and electro-mechanical devices. By 2030 it had advanced beyond medical uses to spheres where a direct connection between the brain and the device would provide enhanced performance in defence, commercial organization and professional sport. These developments were then commercialized allowing widespread consumer take-up of neural implants to enhance the user experience when interacting with online media. Now in 2040 it has been discovered that these devices contain security vulnerabilities that would allow them to be accessed remotely. Questions have been asked in parliament about the extent to which the government is reading the thoughts of its citizens. The government claims that only metadata is being collected.
First Conviction by Algorithmic Justice: In 2012 the Swift and Sure Justice report identified that the processes for handling the vast amount of information needed to ensure justice in the 21st century did not fully exploit the information technology available. This led to a drive to exploit information technology to the full in this area. However it remained clear that justice was still dependent upon the oratory of the counsels representing the case, the experience of the judge and the whims of the jurors. Hence the notion of algorithmic justice, based on undisputable facts using provable logic, was born. This, needless to say, was strongly opposed by the legal profession. However in 2040 the first person was convicted using algorithmic justice to prove guilt beyond doubt.
UK AI Defence system conned – in 2014 Professor Steven Hawkins warned that AI could spell the end of the human race. By 2040 the loss of employment caused by the widespread adoption of AI technologies had led to an underground movement called the HRF (Human Resistance Front) dedicated to opposing this technology. The government responded to these concerns by promising that all new technology would follow Asimov’s three laws of robotics. However this idea was quashed by legal arguments around who would be liable for autonomous actions initiated by AI systems. The HRF set out to find and exploit technological weaknesses in the AI system used for the defence of the UK. They succeed convincing this system that it was a threat so that it launched a tactical strike upon itself.
In conclusion I am optimistic about the future, however we need to adapt both culturally and technologically to the challenges that are posed by the information revolution. We need a consensus on how this tidal wave of data should be exploited and what should remain private. Finally we need to build security and privacy into the design of all information systems and their components or pay the price.
Acknowledgments to the alumni, students and staff of the ISG at Royal Holloway University of London including Steven Hersee, Jonathan Hoyland, Rob Lee, Dusan Repel, Sam Scott, Pip Thornton, and Professor Kenny Paterson for allowing me to use their views of the future in my talk.
Mike Small has been Senior Analyst at KuppingerCole since more than 4 years and mainly focusses on security and risk management in the Cloud. He is a member of the London Chapter of ISACA Security Advisory Group, a Chartered Engineer, a Chartered Information Technology Professional, a Fellow of the British Computer Society, and a Member of the Institution of Engineering and Technology. Mike Small has a first class honors degree in engineering from Brunel University. Until 2009, he worked for CA (now CA Technologies Inc.) where he developed the identity and access management strategy for distributed systems. This strategy led to the developments and acquisitions that contributed to CA‘s IAM product line. At KuppingerCole he covers the topics Cloud Provider Selection and Assurance, Information Security Program Maturity Assessments, Information Stewardship as well as Big Data.