There have been a number of notable presentations at this week’s RSA Conference USA 2016, which you can read about here and here. Some panels have stood out above the rest. One of these was “Securing Large-Scale Socio-Technical Systems,” presented by Bruce Schneier (@schneierblog), chief technology officer at Resilient Systems.
Bruce Schneier gave a very thought-provoking and eye-opening presentation in which he painted a picture of our current state of computer technology and how we must confront certain challenges that extend beyond our current approaches to security.
Everything around us nowadays can be viewed as a computer. Your car is a rolling computer. Your phone is a mobile computer. Your house is quickly becoming a computer. Obviously, these aren’t computers in the traditional sense. A better term is a cyber-physical system, which is an integrated system of electrical, mechanical, chemical, and computing systems. These systems are pervasive. As such, Schneier claimed that we have built a world around us that is highly socio-technical, or that which relates to the interactions between people and technology. For instance, credit card technology is a socio-technical system to the extent that it allows us (society) to conduct commerce using technology.
Schneier went on to describe how all of the socio-technical systems that we have built are rapidly being interconnected in many ways and in manners that were not thought of by design. That is because, as Schneier stated, socio-technical systems have emergent behaviors. A system with emergent behavior occurs when multiple systems come together to produce results that were never conceived of when any particular part of the subsystem was first designed.
Furthermore, he described the Internet of Things (IoT) as a collection of sensors, data processors, and actuators. Sensors collect data from the world around us and send it to data processors. The data processors are in charge of making control decisions based on the data and then send instructions to actuators that make adjustments to fulfill the control decision. He said this is leading us to an Internet that senses, thinks, and acts.
Based on these observations, Schneier stated that we are building a world-sized robot. Think about it: we are adopting IoT technology with characteristics of a robot. He referred to this overall collection of “robotic” Internet technology and its associated socio-technical systems as the “World Size Web,” (WSW) which is here to benefit society.
To illustrate this fact, think of how we use navigation systems on our smartphones to help us find the most optimal route to a destination, how we use smart home sensors to optimize energy consumption, or how we use health sensors to optimize our well-being. The list goes on and on.
At the same time, however, Schneier was careful to point out that the WSW has sparked trends that will affect society in ways that we cannot predict.
Schneier stated that currently attackers have the upper hand, a trend which is due to technology gaps created by the WSW. In particular, cyber-attacks are currently easier than defense because we live in a socio-technical world that knows more about us than we know about it. This “gap” creates a large attack surface for security practitioners to manage, whereas attackers only need to find one weak link in order to succeed.
Building a robust system with good security requires that the entire eco-system of security components work together. Unfortunately, Schneier claimed that we do not currently have the engineering capabilities or the appropriate incentive structures to solve the security problem. He suggested that our current practices, especially when looking at the holistic socio-technical aspect, are broken because they do not work together.
He also used the current battle between the FBI and Apple as an example. These are social systems battling each other over technology systems because policy makers and technologists are on opposite sides of an ongoing debate. The socio- component will therefore be critical to solving the security problem; whatever solution we arrive at will involve the use of law, policy, psychology, and economics.
Lastly, Schneier expressed his belief that markets cannot solve the security problem due to incentives and that some form of government involvement will be needed to address our current and future security problems. However, it will require smart government and regulations that are different than our existing structures, such as a government highly compartmentalized into separate silos of transportation, air traffic, food & drug, and agriculture. Security issues cut across silos, Schneier argued, thereby deeming these agencies inappropriate and inefficient for addressing the problem.