What’s Next For Security?
How research, regulation, commerce, and a code of conduct could help shape a safer future.
Of the panelists who plunged into the future, predicting our greatest vulnerabilities in the coming decade, most emphasized the threat to privacy — the enormous amount of data that will be collected about us all, both directly and through sensors and log files, and the inadequacy of current protections.
The grimmest prediction, though, comes from researcher Nicholas Weaver, who sees a potentially unstoppable trend to connect everything to the Internet, and worries that 10 years from now people will be killed by computer attacks on cars, power plants, and medical devices. Joel de la Garza of Box sees a closer future, in which no activities can truly be kept private. Even if it’s about to get worse, the privacy threat is qualitatively a familiar one to everyone with a computer or a credit card. The “actuator” threat is not. Question for Nick and the rest of the panel: Are we over-focused on yesterday’s problems to the exclusion of tomorrow’s? And if you accept that these dangers are real, what would it take to get ahead of them?
Sam Quigley from Square points to the lack of financial incentive to prioritize security, leading to an underground economy trading in stolen personal information and a looming outbreak in industrial-scale blackmail. In terms of solutions, Twitter’s Michael Coates boldly proposes legislation to create a user’s Bill of Rights, which would force companies to protect the backend servers housing personal data, and encrypt information as it travels over the Internet, among other things. My first question for Michael, and anyone else with a view: is it really possible to construct cyber security regulations that are broad enough to avoid dictating specific technologies (which nobody wants Washington involved in), without being so vague as to be effectively unenforceable? Is there a model for this?
Many of the security world’s success stories began in the laboratory. Rebecca Bace wants to accelerate the migration of research results into usable tools and products, and Patrick Heim from Dropbox writes of the need to delve deeper into the human behavior that makes us vulnerable. Google’s Gerhard Eschelbeck says authentication is the key. What’s the most promising research being done now? Should there be more public funding for research into these areas, or should companies take the lead?
Medium reader IPvFletch offers that secure development is too expensive for the Internet of Things, and says lowering the cost is a necessary first step. David Czereszka advocates two-step authentication with DNA as the second step.
The overall challenge that emerges from our first round is this: Security needs to be more broadly compelling and achievable for developers, companies and users. Is regulation the answer, as Coates suggests? What commercial incentives could help?
Alex Stamos at Facebook calls for a revolution in open information sharing about vulnerabilities and threats. As a journalist, I’m biased in favor of openness and transparency. How about the rest of you? Is there room for a formal structure or a unifying document — a code of conduct perhaps — to implement this idea?
Follow the second round of discussion using the table of contents below, or visit me.dm/roundtable for the full conversation.
The Future of Security Roundtable is a Google-sponsored initiative that brings together thought leaders to discuss how we can best protect ourselves from the data breaches and security risks of tomorrow. Panelists are not affiliated with Google, and their opinions are their own. Feel free to lend your own voice to the the conversation.