What time is it?
It’s the anthropocene: an epoch in earth’s geological history defined by human driven impact on the world and already a mass species extinction event. The World Economic Forum is telling us that we are in the Fourth Industrial Revolution; this builds on the digital revolution and is characterized by a fusion of technologies that is blurring the lines between the physical, digital and biological spheres. Carlota Perez says we are at a turning point, about to enter a new Golden Age—a fifth technology revolution.
How should we respond to this analysis and how does it guide what we do day to day, particularly with respect to cybersecurity? How do we keep ourselves safe now and the planet safe for the future?
The World Economic Forum’s analysis identifies the first industrial revolution as that of steam and waterpower replacing human labor and mechanizing transportation. Their second industrial revolution is that of mass production and factories. Their third industrial revolution is the proliferation of computers and automation technologies. Their Fourth Industrial Revolution is that of pervasive, ubiquitous, artificially intelligent computing; the Internet of Things (IoT), self-driving cars, augmented reality and neurotechnological enhancements. This revolution will rely on vast numbers of machines—all with machine identities that will need to be protected for the advances to remain viable.
What led us here
Perez’ research has identified a number of techno-economic cycles starting with the industrial revolution that saw the rise of factories and machine manufacturing. This drove new national economies, starting in Britain, that replaced agriculture and local production. The second revolution was driven by coal and steam and iron and railways that led to the third with electrical, chemical, civil and naval engineering practices which drove international shipping and the first real wave of ‘globalization’. The trigger for the fourth was harnessing oil and petrochemicals and the start of the age of the automobile. We are now in the fifth, that began in the 1970’s with the start of the telecommunications and information technology revolution where we are today. Perez says:
“Each of these revolutions to date has driven a great surge in development that has taken half a century or more to spread unevenly across the economy, and each has occurred in two distinct phases—installation and deployment—with a transitional period in the middle that is marked by a bubble collapse and recession. It is in this transitional period, or ‘Turning Point’, that we find ourselves today.”
"The turning point is typically a recession"
The turning point is typically a recession, or in this revolution, according to Perez’ theory, we’ve had two: when the dot com bubble burst, and the more recent ‘credit crunch’. It’s time then, to move from this venture capitalist, Silicon Valley driven ‘casino economy’ to a place where we have sustained, global prosperity. Steve Denning notes on Forbes:
“To make this happen, we need new mindsets. Whenever these technological revolutions have occurred in the past, the initial response has always been to try to shoehorn the new technology into old lifestyles and ways of thinking. The result is a failure to capture the full benefit of the new technology. We see people, firms and governments clumsily trying to do things in the old way with the new technology.”
A company’s ability to survive and thrive in our digitally disrupted world is at risk if they cannot throw off traditional ways of working and rejuvenate legacy systems to take advantage of the technological advances that allow us to create more value for the consumers of our products and services. The threat is to be outcompeted. The opportunity is to be a star in the next golden age.
Security posture in the current industrial revolution
With all of these new technological capabilities becoming available, the attack surface increases as threat agents grow in number and capability. Security breaches are becoming more common and more expensive to fix.
The World Economic Forum recognizes the criticality of securing the Internet of Things. Gartner suggests that nearly 15 billion connected things will be in use by the end of the year, and that will increase to 25 billion in 2021 (with a current global population of 7.7 billion, and swathes of the globe as yet unconnected to the internet, that’s quite a few devices per head). These connected things are the Google Homes and Amazon Alexas in our houses, connecting to the smart bulbs, televisions, thermostats and appliances we use day to day. They are our Apple watches, Oura rings and our cars and their associated mobile apps. They are collecting detailed personal data on our health, driving habits, consumption of utilities and groceries, entertainment preferences every minute of every day. That data isn’t just personal to us, it’s an asset to the collecting organization potentially to be monetized; what Gartner calls Infonomics. Nobody wants that data to be stolen or used to manipulate us to gain access to our assets. Apart from the cyber criminals that is.
And it’s not just about us as individuals and the device choices we make—the advent of smart cities connects government and citizens through IoT in a way that should support Perez’ advice that government boldly and actively drives local economies to smart, green growth. Smart city capabilities are things like parking support to find available bays and pay digitally, ride-sharing, optimisation of public transport at busy times, dimming street lights when nobody’s using them, waste space management and early warning systems. And smart cities are connected by smart motorways.
The chances are you will be part of this interconnected world, if you aren’t already, and you’re probably not just a consumer. It’s not just the governments getting smarter, it’s the utility companies using smart meters, it’s the banks processing orders from fridges, it’s the insurers setting policies from data collected from smart watches, it’s the retailers receiving orders online and delivering via drones, it’s the manufacturers of devices, it’s the restaurants taking bookings, payment, feedback from our phones, it’s the entertainment companies streaming media and supporting our online gaming, it’s agriculture using sensors in greenhouses and connected cows: these are the companies that employ us and we must ensure our customers’ safety. We are them.
Governments and institutes are developing guidance and laws to help organizations that recommend or demand devices are not pre-set with passwords that expect to be changed by the consumer, but that are unique, that companies which produce internet-connected devices and services should provide a point of contact so that issues can be reported, that software updates to connected devices should be easy to implement and timely.
Machine identities and IOT
Ultimately, these things on the internet, these devices, are machines and, as such, they all have a unique identity and this is the key to keeping us safe. As Andrii Fedotov, Director of Communications at the Center for Economic Strategy in Ukraine explains in Hackernoon, we have several options; setting gateway identities using X.509 digital certificates, and using the same for the devices themselves. Or we can use distributed PKI and SSL/TLS certification with blockchain rather than a Certificate Authority to federate administration. But Fedotov warns:
“A truly industry-accepted innovation in machine identity security is still on its way, and there is a need for the open source tech community to unite efforts around existing distributed technologies… The main limit to attaining best security practice implementation, however, is that IoT devices are small, inexpensive and use standard operating systems and protocols, which introduces similar, well-known weaknesses of centralized network solutions.”
So in lieu of the open source tech community coming together and solving this challenge, whose job is it to assure the security of these devices? Does the responsibility fall on the device manufacturer? The service provider implementing the devices? The engineers delivering the software to the devices? Or the consumer of the services on the devices?
Julian Weinberger, an information security leader currently Director of Engineering at IoT VPN provider, NCP, notes that in a 2017 McKinsey Security and the Internet of Things survey, only 15% of smart device manufacturers believed consumers would be willing to pay a premium for better built-in security. So our risk appetite is driven by economics. And the onus is back on us as individuals to take some responsibility for our own safety in this all connected new world. But I’m going to hazard that most of us consumers don’t know what we are doing and haven’t set up a VPN at home.
So that’s the manufacturers and consumers—what about the service providers and their engineers? Weinberger highlights that in a 2018 Forrester and Venafi study, 80% of the senior IT security professionals asked said that they struggled with machine identity protection. I can imagine the percentage is no lower for technology engineers not consciously wearing a security hat. The thing is, if the worst happens, let’s say a data breach, whilst it’s the consumer whose data, identity and assets are at risk, the people that will be fined and whose brand reputation stands to suffer, will be the people providing the service.
"ensure all communication is authenticated"
As Hywel Curtis says in his blog post, Securing the Supply Chain: Machine Identity Management in IoT Applications:
“Fundamentally the overall security of an IoT-enhanced supply chain relies on the ability to ensure all communication is authenticated. This is achieved by uniquely identifying, securing, and managing each individually-connected machine on an ongoing basis. Further, this capability needs to be trusted, efficient and able to scale rapidly to meet changing business objectives. Monitoring the full portfolio of connected machines, and their associated authentication certificates, can only be done at scale with a dedicated, automated system.”