[00:00:41] Tom Garrison: Hi, and welcome to the Cyber Security Inside podcast. I’m your host, Tom Garrison. And with me as always is my co-host, Camille Morhardt. How are you doing Camille?
[00:00:50] Camille Morhardt: I’m doing really well, Tom.
[00:00:51] Tom Garrison: So today we’re going to talk about an article that you and I both wrote that was published and specifically it focuses on future trends, things that we expect to be talking much more about in the coming year. And I think there are some interesting topics here, some of which we’ve talked about in previous podcasts and some of them, obviously we will dive into more throughout the year. So do you want to start off Camille with maybe one of the trends that we cover in the article?
[00:01:26] Camille Morhardt: Yeah, I think we could go through a few of them, and the article is a pretty short format. So I think we might elaborate a bit and talk about some of the conversations we’re looking forward to having this year. The first one that we addressed was critical infrastructure and how we’re protecting that. We talked about what is critical infrastructure, to begin with? We often think of it as pipelines,electric grids, water, kind of municipalities, or city services; but the very definition of critical infrastructure is surely expanding.
[00:02:05] Tom Garrison: Yeah, undoubtedly. I remember actually one of the conversations we had with one of our guests, I was sharing about back in my days in college, which wasn’t that long ago. My student ID was my social security number and it wasn’t that big of a deal to share that kind of private information. But as the world has become more connected, the risk goes up significantly with, in that case it was things like privacy and identity theft.
But when you think about critical infrastructure, the more connected everything becomes we don’t just worry about things like pipelines and electric grids. Now you’re talking really almost about every aspect of life in a society and how we communicate and how we do business and everything else. It all morphs into our new definition of what critical infrastructure is.
[00:03:08] Camille Morhardt: Right, because threats are not necessarily big explosions anymore; they can be destabilizing things that make people feel scared or uncomfortable. Like you were pointing out, if you use your student ID and you put your social security number in happily 30 years, or 20 years, or sorry, Tom, seven years ago, when you graduated from college, since there’s all kinds of things you can do if you’re a hacker with social security. Like people now are putting some of their genetic information online as they’re doing ancestry tracking. It’s like not a problem now, but what happens in 20 years? What could somebody use that for? We have to look more micro and also more macro when it comes to critical infrastructure.
So we all know how much of our classic telecomms infrastructure is now flying around in our inner or outer atmosphere right now, orbiting around us. And you know what happens–well, first of all, how do you update something like that as its orbiting the earth? And what happens if things like that get hacked? How are we going to address that kind of thing? And on the other side, looking inside, we did an episode on medical devices. How do you update something that’s inside of your body?
[00:04:24] Tom Garrison: Right. And you don’t want to have totally open interfaces where somebody’s walking next to you in the coffee shop can all of a sudden start changing your heart rhythm or something. That would be pretty rough. Obviously you want to be able to update stuff if it turns out that there are security vulnerabilities or maybe even not security related, but just performance type optimizations that you would want to be able to make inside your body without having to open yourself up and subject yourself to infection and other issues.
It’s fascinating when you think about infrastructure, in general, our definition of infrastructure–specifically critical infrastructure–I think is going to undergo a huge amount of change in just the next year, and certainly the few years that follow.
[00:05:13] Camille Morhardt: Yeah. And I think we know we’ll be diving more into that surely on our podcast.
[00:05:18] Tom Garrison: Yeah. Interesting stuff. So what other trends?
[00:05:21] Camille Morhardt: Okay. So another trend that we talked about was this buzz word or buzz phrase that flies around, it’s inescapable, Artificial Intelligence, or AI, or machine learning, and the good and the bad of it. Do you want to give us a summary?
[00:05:38] Tom Garrison: As with any technology really, it’s how you use the technology. Is it for the betterment of human society or is it to the detriment? AI will be exactly the same way. You can use AI to do things, solve problems that are really difficult to do. The best example that exists today and where people have their lives saved as a result is in radiology where people go in—women primarily, but also men–have x-rays that are read through AI and AI can detect anomalies far, far greater and far earlier than human eyes. Doctors can get in and address the issues at a much, much earlier stage, far, sooner than they would have been able to detect through the human eye. And as a result, the outcome is oftentimes much greater. So that’s an example of AI for the benefit of society.
But there is the risk and it’s not just a risk, it’s the reality where AI will also be used to attack and it can be used in various forms. But one that we’ve talked about is using AI to attack systems, to attack software and so forth in ways that the human brain doesn’t even think about. So today when we think about security and we think about how to protect it, it’s often driven by how we think of the use of a device? Or we’ve talked also about the fact that when you test for security, you’re oftentimes purposely testing the device in a way it’s not supposed to be used. Again, that’s the way the human brain is working. And now enter Artificial Intelligence, there could be classes of attacks that the human brain hasn’t thought of yet. And that’s because we just don’t think about it that way. We can program Artificial Intelligence systems to go after and attack systems and how we protect against that only remains to be seen. As we learn the vulnerabilities and so forth, we’ll become a lot smarter about this, but I expect this to definitely be one of those areas where we’re very much in our infancy today. We’re gonna learn a whole lot in the not too distant future about Artificial Intelligence used to attack systems.
[00:08:07] Camille Morhardt: Yeah. And to bring it back to the very personal level, as in the topic we were just discussing, if you have a neuroprosthetic, for example, that helps you move your prosthetic arm, if humanity gets to the point where they can write that signal, if something like that is hacked, you can move somebody’s arm without their permission; and of course we can imagine it could get worse. So there’s the search for vulnerabilities in kind of corporate infrastructures and systems, there’s a search for vulnerabilities in critical infrastructure systems at the government level, and then also at the very personal level.
Let’s see what the next one is that we were looking at. We talked about this imperfect alignment of security and privacy, and the fact that I might almost suggest that security standards and agreements generally are maybe further ahead than privacy. We just had an interview about the critical infrastructure bill and discovered that while there’s a lot of allocation in the cybersecurity space, there is no specific allocation in the privacy space; and yet security and privacy are obviously, per our last example, interrelated.
[00:09:27] Tom Garrison: Yeah. Again, the definition of what privacy means is going to be evolving, just like critical infrastructure is going to be evolving and how we choose to protect that privacy is something where I think there’s so much more that we don’t know or haven’t really thought of when it comes to privacy. Just like my example I used a few minutes ago around my social security number, back in the day there was no problem. But now, what is the information that matters and how can that information be used in a way that maybe nobody’s considered up until now, but somebody will, and then obviously that now becomes privacy related, right? That you want to make sure that information doesn’t find its way to unintended folks. So this is another very fascinating area, lots of evolution that’s about to happen in the next few years.
[00:10:21] Camille Morhardt: I would say deeply interrelated with Artificial Intelligence. We’re looking at some emerging kinds of AI technologies just a few years old really, like federated learning, where one of the main ideas is that you’re protecting privacy of say an individual by instead of shipping a person’s raw data about something about them that’s medical, and then shipping it over the internet to a centralized learning model where you’re then going to generate insights from it; the idea is let’s really protect that by not even moving that personal information and instead let’s ship the model itself or aggregators of that model out to the hospital, collect the insights and ship the insights back, so that the personal data never leaves its point of origin, (i.e. the hospital).
Well, that’s great, it does one thing, but on the other hand, now we’re going to see increasing attacks on the model itself or the aggregators of the model. So we’ve just generated another kind of thing that we need to protect. We definitely need to be looking at the protection of the data itself, and also of the models. And we’re really going to have to evolve with that on the cybersecurity side.
[00:11:38] Tom Garrison: It occurs to me that people listening to this may not live in the cybersecurity world, may start saying, “are we just being paranoid?” And to the folks that maybe haven’t been as deep in some of these topics, these are not outlandish schemes or threats that could theoretically happen but will never happen. These are very real and they’re already happening or they’re right on the cusp of happening. So that while yes, maybe it might sound like outlandish, I can tell you based on what we know and what we’ve heard, these are pretty likely scenarios to happen.
[00:12:21] Camille Morhardt: Yeah. I think one day not too terribly long ago, the thought that ransomware would have crossed over into critical infrastructure was probably considered outlandish. And now we’ve got a news story out every other month or something on it.
[00:12:35] Tom Garrison: Or just the fact what the magnitude of ransomware. Right? If we had said three years ago that ransomware was going to be hundreds of billions of dollars a year or more–I’ve lost track now of where we’re at for ransomware–people would have said, “oh, you’re just pulling the fire alarm to get people’s attention.” Yeah, we were, but it wasn’t wrong, it was absolutely correct. I think this is an area where we’re talking about protecting information in transit by moving the model and not moving the data, that is absolutely happening and then that means now the model, which in the past was safe in the data center and operating in a very safe environment, now that model itself is going to be exposed to potential attacks.
[00:13:24] Camille Morhardt: So, we definitely need to look at data in all its states. Another thing that we looked at and we talked to a few different people to kind of get some insight into trust, trust of humans. We looked at insider threats, essentially. How do we get a sense of whether a computer is demonstrating activity that suggests that either you have somebody about to transmit confidential data in an unauthorized way–like Camille always opens her computer and Outlook is the first thing she opens, but in the last week, the first thing she’s done is opened her Gmail and attached a whole bunch of files and sent them off every day.
So something’s happening. Either she’s about to go rogue, or there’s actually an application that’s taken over her computer. We don’t know what but we better investigate. And so we looked at that, but the other thing that we were starting to talk about is what about the computer itself? Or what about the hardware itself? What are we doing to determine whether or not we have trust of the machine and is that only happening at the very first rollout of the machine? Or are there protections we can put in place over the course of its lifecycle?
[00:14:35] Tom Garrison: Yeah, I think you nailed it. The things that I would add there is we all lived through the transition from old passwords to something much more robust–whether it’s seemingly changing the password every two weeks to things like multi-factor authentication. And the idea with all of those transitions that we had is do we know the person that is attached to that machine? Is that person really who they claim to be? That’s the idea and that’s super important because we don’t want somebody who’s pretending to be Camille sitting at Camille’s laptop and doing bad stuff. Right? We want to make sure it’s actually you.
But then the second element is, that’s only half the equation. If we understand the person sitting behind the device, that’s great. Do we understand the device? Can we trust the device? And I think that’s exactly what you were just describing where we’re getting more insight into how to do that. It starts with when the device was originally built and then building that trust chain all the way from when it was manufactured to present day. If you know the device, and you know that the device has been updated, you know you can trust those aspects, then you can start looking at how’s the device acting. If ?he device is acting in ways that you expect, then it’s fine. If it starts to do something strange then you can detect that and hopefully shut it down very quickly.
When we think about identity, it is undoubtedly transitioning from just a human-centric identity that we were worried about before to now a combination of human plus device identity. And can we trust the device as well?
[00:16:29] Camille Morhardt: Talking about a similar kind of a pairing, the other thing that we talked about was really this marriage of hardware and software, when it comes to security and the concept that you really can’t have one without the other. You can’t completely totally attest and verify the human at every interaction and not do the same for the computer and assume that the computer’s fine, even though you haven’t checked. The same way, you can’t do everything under the sun to verify the authenticity of the software, but not have done anything at the hardware layer. So that was the other thing that we talked about.
[00:17:07] Tom Garrison: And I think also on the software it’s important for people who may not live in this world directly, that there are software things like applications and the operating system. We want to understand what is the software and really can we trust it? And so there you have things like software bill of materials and what were the software components that were used to build those applications. And can we trust those? So there’s a whole series of work in the industry around that. And then there’s low level software as well, things like firmware and drivers and other things that a lot of times people consider hardware, but there’s a whole lot of software that reside on the platform as well.
And equally there we need to understand the providence of that software. Can we trust it? Is it updated? Has it been manipulated in any way? And there’s a lot of work there as well. And through things like compute lifecycle assurance and transparent supply chain, some of the initiatives that I know that Intel is working on, those are really aimed at addressing some of those threats.
[00:18:10] Camille Morhardt: Yeah and helping to protect the entire supply chain, as well as what you’re looking at within your own company, it’s that you can’t just look to the left anymore, you have to look both directions and make sure everything is secured across every layer, backwards in time and the supply chain and also forwards in time and the supply chain. Because the thought that you can release something and never do an update again–which I think was believed at one point in the hardware world–is way out the door.
[00:18:41] Tom Garrison: For sure. I think the silver lining through a pretty dark cloud in 2020 and 2021 is people are much more attuned to supply chain in general, and the dependencies they have on a healthy supply chain. And I think when you put a lens of security on top of that supply chain you start to realize that it’s not just can I get things from my supplier. From a security standpoint, it’s can I trust the things that I’m getting from my supplier, especially when they’re coming from places in the world where there’s a lot of strife.
[00:19:22] Camille Morhardt: And speaking of the last couple of years, the final thing that we wrote about in the article was digital transformation or cloudification and just how this massive shift among many industries or portions of industries to working from home. Obviously not every service or product can be provided working from home, but there was a giant shift of many kinds of jobs and roles to working remotely–and that introducing all kinds of security challenges that have had to have been addressed and I think are continuing to be addressed.
[00:19:56] Tom Garrison:Yeah. It’s not just the lucky few that can work from home, it’s really become pervasive. And with more and more people that are working outside the confines of a typical business office or enterprise you introduce a whole new set of threats around the data and how to protect it.
It is more of the same and this cat is never going back in the bag. This is the new way that people will work from here moving forward. You are going to have a ton more distributed workers and distributed workforce, and we’ll have to figure out how to protect it.
[00:20:35] Camille Morhardt: It’s almost like humans have moved into the IOT space in the sense that we are all now very distributed, many of us, and we’re getting devices–either consumer devices that we purchase and then connect to corporate networks or corporations are having to ship devices out directly to end-users and provision them onsite much the same way we’ve been talking about IOT and how we’ll have to send devices out and install them somewhere remote and then provision them and make sure that everything is secure at the beginning and continues to be secure and updatable.
[00:21:10] Tom Garrison: Yeah that’s right. So these are the trends we talked about. You and I were discussing there’s a few trends that we didn’t even include in the article.
[00:21:19] Camille Morhardt: I know we’ve had so many, there’s only so much word count. So a couple of the ones- we did a series of conversations around quantum. We did quantum compute, what is it? We did post-quantum cryptography. We’re starting to look at the future of compute and what is security going to look like and what is going to break unless we have a solution to it.
[00:21:42] Tom Garrison: To me it was a fascinating discussion that we had around quantum computing, because it’s not hyperbole to say that all security that exists today can easily be defeated by a quantum computer. And so, the logical question is if that’s true what are we going to do about it? Fortunately, we have very smart people around the world that are solving this problem. But how to evolve cryptography so that it’s not subject to a simple attack and break by a quantum computer. There’s a whole bunch of really interesting stuff that’s going to come out of that work.
[00:22:20] Camille Morhardt: Super, super interesting. I just think that there’s obviously a lot of arguments about when the first true quantum computer is going to be available and usable. But surely the horizon is not so far away that a lot of devices and products that the world is putting on the market today–like an automobile could easily be out, airplane, think of anything really–could easily still be functioning by the time we have quantum compute. So if you’re building a product and putting it out now and figuring that you’ll just adjust later, that’ll be too late. How are you going to make sure that you have an ability to update the cryptography of your product that may still be out in the wild by the time quantum computers arrive.
[00:23:09] Tom Garrison: That’s right. Post-quantum is certainly within the lifespan of devices that are being manufactured today. So you have to be able to manage through the transition.
[00:23:18] Camille Morhardt: The one other thing that I just wanted to bring up that you and I have been talking about a lot although I don’t think we identified it specifically as a trend, is I’ll call it “distributed” everything. Because we see this move toward distributed when we talk about artificial intelligence, obviously when we talk about things like blockchain—which is a distributed ledger technology–distributed learning. When we talk about Artificial Intelligence, how are we going to protect things as they are far apart from this secured perimeter or even kind of a central server or central model?
[00:23:57] Tom Garrison: No, you’re exactly right. There’s no easy answer to this, and the move to distributed kind of everything is absolutely happening. And at some point, by the way, this industry has oscillated back and forth multiple times from centralization to decentralization; I expect that that’s going to happen here as well. Right now we’re sort of swinging even stronger towards decentralization of things. At some point the pendulum will start to swing the other way, but for right now, we can’t see when that’s happening. So, you’re exactly right. Right now a lot of things are moving towards decentralization.
[00:24:44] Camille Morhardt: There was a time when distributed things were very fringe kind of feeling, at least from an enterprise perspective. And now we have to get our hands around this from a security perspective. There’s no escaping it; both will exist and they’ll rise and fall in popularity but they will all be around.
[00:25:04] Tom Garrison: I remember having conversations with enterprise CIOs and not just one or two, with lots of them. And they would say statements like, “you know, over my dead body will we ever move XYZ, workload off prem”. And almost without exception all of those workloads are now distributed. In some cases with multiple cloud vendors, not just one. So it is absolutely happened. You’re exactly right and we’ll have to see how it plays out.
And so now we get to the part of the podcast where we share a fun fact and we don’t have a guest today, so I’ll just jump straight in—I’ll do it today first.
[00:25:54] Camille Morhardt: That’s a change for the new year.
[00:25:56] Tom Garrison: I know, why not? It ties into what we were just talking through and today I was reading an article that talked about in 2021, there was $2.2 billion in cryptocurrency stolen from defi platforms. And so I’m like, what is a “defi”? I looked at that and defi actually stands for decentralized finance. It offers things like loans and whatnot, without relying on intermediaries like brokerages, exchanges or banks.
It’s a significantly growing area. And last year there was $2.2 billion that was stolen from fraud in these areas. The fun fact for me is really two things: One is that there’s this whole new world about defi that’s coming up that I think you and I should explore more; maybe a podcast next year. And then also, as it is growing, the cyber criminals are looking for opportunities to steal from it.
[00:27:15] Camille Morhardt: Definitely, and as you’re talking about that and thinking about how that, I’m not sure I completely understand the concept, but that might be considered fungible tokens if you’re talking about currency exchanged. I guess you’re talking about these services that are happening at a distributed level. We’ve just done a two part series on non-fungible tokens. So we’re going to start getting into some more of these kinds of decentralized models and exchanges that are happening online.
[00:27:45] Tom Garrison: Great. All right. So what is your fun fact for the day?
[00:27:48] Camille Morhardt: I’m going to switch it up on you a little bit since it’s a new year. I’m gonna introduce the concept of a fun fact challenge. I’m going to challenge people to go figure out for themselves who is the inventor of the printing press. And if you’re like me and the word that jumps into your mind is “Gutenberg,” then you might want to look it up a little bit more carefully. It does seem to me after doing a bit of research that the Chinese were the first, in fact, inventors of the printing press. I think it might be worth taking a closer look and challenging some of the things that we thought we knew as given facts.
[00:28:32] Tom Garrison: And in that case you are talking about manual presses and whatnot. Right? Not, not a mechanized press but a manual press.
[00:28:41] Camille Morhardt: Right, there were some differences. S o that’s another question is how exactly are you defining something and how does that change what a fact is?
[00:28:50] Tom Garrison: Well good stuff. Camille as always great conversation, good talking with you. I hope the listeners will look for the article that we wrote and also use this as something to think about for their businesses on how am I taking into account some of these trends moving forward.
Stay tuned for the next episode of cybersecurity inside. Follow @TomMGarrison and Camille @Morhardt on Twitter to continue the conversation. Thanks for listening. The views and opinions expressed are those of the guests and author, and do not necessarily reflect the official policy or position of Intel corporation.