What is going to shape the cybersecurity landscape of the future? According to Peter W. Singer, an author and geopolitical strategist with the New America Foundation, there are many factors at play. He sat down with RSA Conference to talk about robots, encryption, the geopolitical landscape, and more in advance of his keynote, NextWar: The Future of Technology and Geopolitics, at the Innovation Sandbox event at this year’s conference in San Francisco.
RSAC: What's your biggest concern about what the InfoSec industry is facing today?
Singer: The human capital side of things. It's not as sexy as debates over encryption or the Internet of Things. This is not to say these issues aren't critically important, but that the people side doesn’t get as much discussion in the policy space as I think it should.
People tend to be aware of the problem on the corporate side, but it’s a bigger concern in government. For example 40 percent of the cybersecurity slots at the FBI are open right now, which means you have field offices without this expertise. In fact, at a number of government agencies, they've seen a reduction in the number of people—everywhere from the Department of Agriculture to the Department of Veterans Affairs. Think of it this way: for all the years we spent fighting over the recent legislation on info-sharing, it wouldn’t have done anything to stop breaches like at OPM. Getting the people problem solved “might” have.
There's an added layer to this problem, which is diversity. Less than 10 percent of the field is female according to the last report I saw, well below even the poor numbers in IT in general. You can look at it from both an engineering standpoint and an equality standpoint. On the engineering side, it’s that I have a pipeline problem and I'm not pulling from enough sources. The equality one is self-evident, especially when you note what a growing and lucrative field this is.
But on top of this, whether you think about this from an ecosystem or a marketplace perspective, there is huge value having diversity of ideas and diversity of backgrounds—not just in gender, or race, but also background. Those teams that are able to pull in all sorts of different perspectives, they are often able to draw insights into things that people from one background are not. We’ve seen that at cybersecurity competitions at the university level and also up to the marketplace-level.
RSAC: How has the security landscape changed in the wake of the Paris attacks?
Singer: Within the cybersecurity world, arguably nothing changed. Within the policy and media discourse world, there were some major changes. At the point of this interview in time, it does not appear that encrypted communication was key to them pulling off the attack. Indeed, we can see that in the fact that a number of the attackers wear from the same actual neighborhood. They were coordinating through different means. So too the ideal that this was all hidden away on the Dark Web. The mastermind of it had actually appeared in Dabiq—the ISIS online magazine—talking about his plans for conducting terrorist attacks in Europe and sneaking people in.
From what we've been able to learn, it was not integral to it, and yet the encryption debate got heated back up. The same kind of disconnect we’ve seen in the discourse on the evils of social media. In the case of the San Bernardino attack, it appears that the two individuals were radicalized as far aback as 2012, actually before ISIS was even a major player.
So, while substantively there hasn’t yet been a tight link shown, these horrific attacks, and how scary they are, have reenergized the encryption debate, which seemingly had been put to bed. It's changed the political, media and public discourse over it.
I think that's the concern for a lot of the experts in the field, that, well, that disconnect of incidents and the debate itself. If you look at polling and surveys of experts, there are consistent majorities that point out the fact that if you weaken encryption, it may not get you the counterterrorism breakthroughs that you're claiming, but it is going to make it easier to carry out other cybersecurity harms on the wider public.
RSAC: Where do you see the role of individuals versus organizations in managing privacy and ensuring cybersecurity?
Singer:The challenge here is that there have always been redefinitions of basic concepts like “security” and “privacy” throughout history—and it’s particularly shaped by technology. RSA is about online security. A couple of decades ago, that wouldn’t have even made much sense, the “security” of an imaginary world. Now it's a crucial issue. So too our modern privacy laws were actually created by the invention of the mobile camera. It was basically people having their pictures taken in settings that they didn't control that shaped our modern notions of privacy more than 150 years back.
So there has been this balancing act, where people tend to emphasize one of the other, security or privacy, and that is shaped by the political context of the time, how fearful people are and what are they fearful of. There is also often a pendulum nature to it—we swing back and forth and usually there's an overreaction to one of the other.
One thing that may be different about this debate is whether security and privacy are inherently in opposition to one another in the traditional way we frame the problem. I think that's one of the aspects of the encryption debate that people get wrong. You can make a very strong argument that something that’s good for privacy is something that’s good for general security… The problem is that may be good in general, but the advocates on the other side are pointing at specifics.
That’s how I'd like to see the debate rewritten. You can see this where law enforcement is saying, “I really want access to information X, because it will really help me in this particular crime at this particular time,” when simultaneously it's going to make the wider community less safe over a wider period.
RSAC: What is the biggest issue we will see cybersecurity tackling in the next five years?
Singer: We already talked about the human side. The other I think is going to be incredibly challenging is the Internet of Things. We know IoT is growing at an incredible scale, and the numbers are astounding, but we also need to face up to the fact that there are several factors that challenge us when it comes to the basic security for it.
First, many of the companies involved don’t have great experience in security and/or don't see themselves as security players—or frankly even IT players. You can see this with what's played out in car companies. They see themselves as making big physical rolling objects, when actually what they're now making is rolling networks of computers. It’s just not in their DNA, let alone in the kind of expertise that gets incentivized and promoted in such firms.
You can see that, in turn, mirrored on the policy side. For example, the FDA is now faced with regulating everything form drugs to tongue depressors to medical robots to software. It's not just capacity problem, but it's how they look at their world. Their focus in the past has been on how to make sure that things—whether it's the drug or the tongue depressor—works as it is designed to. They've not been focused on, “Well, how will someone deliberately break or misuse this?”
To use an example, something that’s shown to be hackable is insulin pumps. In the past, the vetting of such a new device was simply a matter of asking “Does it work as designed and claimed?” Now you have to ask, “Does it also have a vulnerability that can be exploited?”
The other challenge is that it's such a fast-moving space that companies feel pressure to push things out rapidly—and just like what happens in software—some times speed come at the expense of good security.
Another aspect of this is that companies have had not-so-great incentives to take security seriously—which is something we saw was a danger on the Internet software side of things. It's also going to bite some companies that view themselves as hardware companies. It's going to bite them in the butt. It's not something they've been incentivized to take seriously, but they will when the first lawsuits start rolling in.
There are researchers that have talked about how it took long periods of time for the rail industry or the car industry to take safety and security seriously. It took not just years but decades to get things like seatbelts and air bags.
The challenge is that we're talking about a space that moves more rapidly, so if they have that kind of delay… when it comes to IoT vulnerabilities, we're going to be in a really bad place. The stakes are different because with the IoT you cannot just steal or block information, you can actually cause physical change in the world that utilizes that information. It’s the move that Stuxnet showed off, that you can actually cause kinetic damage and real, true, touchable loss.
RSAC: What new technology will be pervasive in five years?
Singer: Robotics. We're getting to the point where, much like what happened with computers; we'll stop calling them robots. They're becoming woven into life in all sorts of ways.
It will touch everything from agriculture to recreation to how warehouses operate to, very soon, transportation. Another aspect of this is how much—like what happened with computers—it’s being woven into an older technology. Just as your car has become computerized, frankly it is already becoming more and more robotic. It warns you of who is in your blind spot, parallel parks, all sorts of things that aren’t full autonomy a la the Google car, but are robotic. Just in the upcoming year, Mercedes Benz will be offering, a car that has redefined old-school cruise control into the ability to drive down the road, accelerate, brake, stop, change lanes all without human interaction. But no one calls it “robotic.”
RSAC: And last, but certainly not least, what are you going to talk about at RSA Conference?
They've asked me to take the audience on a tour of the future of war and technology. So we're going to look at everything from what are the next game-changing technologies that are seemingly drawn from science fiction but becoming battlefield reality to how the who and where of war are being reshaped at the most fundamental level… to questions on the geo-strategic and technology race will play out with China. It's going to be the 30,000-foot-tour about what war, technology and geopolitics might look like in the coming years.