The Future of Security: A Roundtable
Software hacks have compromised cars, baby monitors, and IRS tax returns. Can we do better? Join our discussion.
--
On August 24 of last year, John Gibson, a 56-year-old New Orleans pastor and father of two, was found dead in the house he shared with his wife of 30 years. Six days earlier a hacking gang calling itself “Impact Group” had dumped on the Internet a stolen user database from the website Ashley Madison, an online dating service for those seeking an extramarital affair. Gibson’s was one of 32 million names in the leaked list. In his suicide note, according to the Washington Post, Gibson wrote that he couldn’t bear the shame of having his secret life exposed.
Gibson’s was one of at least three suicides linked to the Ashley Madison breach, itself the most personal in an epidemic of network security incidents that roiled 2015. In February, Anthem Blue Cross and Blue Shield — the nation’s second largest health insurer — revealed the wholesale theft of names, addresses, Social Security numbers, and other details on 80 million current and former customers and their families, including millions of children. The same month the US Office of Personnel Management announced that hackers had stolen security clearance applications for 20 million government workers. In May, the IRS disclosed that Russian identity thieves had made off with tax returns for 100,000 Americans — a number later revised to 300,000.
Today security issues are felt at every scale, from the intimate to the geopolitical. However earnest our response, it has been insufficient.
Now with the “Internet of Things” becoming a reality, the stakes have never been higher. The warning signs are already in front of us. Last July, Chrysler recalled 1.4 million Jeep Cherokees to fix a software bug that allowed researchers to remotely shut down a vehicle in the middle of the freeway. A similar bug might conceivably turn tomorrow’s self-driving cars into fleets of rolling weapons. Last month an accidental software bug in Nest smart thermostats caused them to crash, sending some house temperatures plunging in the middle of winter. In a handful of creepy incidents last year, pranksters used Internet-connected baby monitors to spy on families, or even talk to a child. These are rare incidents today; tomorrow, they could be as common as the data breaches that shot through 2015.
For that reason, Backchannel has assembled a panel of security professionals from technology companies and academia for a weeklong virtual roundtable discussion. This week we’re asking them to look up from their daily battles and fix their eyes on the future. What will it take to make the next decade safer than the last?
The executives on our panel live and breathe today’s threats, and have a vested interest in preparing for tomorrow’s. Patrick Heim, Head of Trust and Security at Dropbox, and Joel De La Garza, Chief Security Officer at Box, work to safeguard cloud storage; Google’s Head of Security and Privacy Engineering Gerhard Eschelbeck directs security for everything from cell phones to search; Michael Coates, Trust and Security Officer at Twitter, and Alex Stamos, Chief Security Officer at Facebook, lead efforts to make social networking secure and safe. Sam Quigley, Head of Information Security at Square protects retail payment — a perennial target for fraud attacks. Rounding out the panel are Nicholas Weaver of UC-Berkeley, a top expert on advanced attacks and defenses, and cybersecurity pioneer Rebecca Bace, CEO of Infidel Inc.
You, too, are invited to participate with your own comments and questions. At the end of the roundtable on Friday, we hope to walk away with a clear vision for the future of online security, based on the failures and occasional successes of the past. Where should resources be spent? Are there fundamental assumptions that are simply wrong? When we’re done we’ll have a framework for reversing an ominous trend in technology — one that last year became literally a matter of life and death.
To begin the discussion, and to get our bearings, I’ve asked our panelists this two-part question: What are society’s more urgent technological vulnerabilities today? And what will they be 10 years from now?
Keep scrolling to see the responses so far, or use this table of contents.
Patrick Heim: We Didn’t Evolve For This!
Sam Quigley: We Need To Protect *All* Personal Data
Joel de la Garza: Security As An Afterthought Never Works
Gerhard Eschelbeck: The Authentication Problem
Rebecca Bace: Security Needs A Culture Change
Michael Coates: We Need A Basic Set Of User Rights
Alex Stamos: The Key To Security Is Being Open
Nicholas Weaver: The Global Spy Network of Deadly Robots
Of the panelists who plunged into the future, predicting our greatest vulnerabilities in the coming decade, most emphasized the threat to privacy — the enormous amount of data that will be collected about us all, both directly and through sensors and log files, and the inadequacy of current protections. What will it take to get ahead of these dangers?
Several solutions were proposed — from research to commercial incentives to legislation — but the overall challenge is this: Security needs to be more broadly compelling and achievable for developers, companies and users. What will it take to achieve this?
Our second round of discussion will address these questions and more.
Rebecca Bace: Funding Multidisciplinary Research Is A Must
Nicholas Weaver: Can We Make The Internet Of Things “Secure Enough?”
Joel de la Garza: Humans Can Be Security’s Strongest Link
Sam Quigley: Don’t Legislate Technologies, Legislate Outcomes
Gerhard Eschelbeck: Building That Future We’ve Been Talking About
Michael Coates: Security Breaches Cost More Than Money
Alex Stamos: Research Can Help Strengthen Our Defenses
As the roundtable progressed, the takeaway became crystal clear: security is the responsibility of the many, not of the few. We all must have a hand in protecting the technology of tomorrow.
Read the complete summary of our panelists’ proposals here.
The Future of Security Roundtable is a Google-sponsored initiative that brings together thought leaders to discuss how we can best protect ourselves from the data breaches and security risks of tomorrow. Panelists are not affiliated with Google, and their opinions are their own. Feel free to lend your own voice to the conversation below.
