Home / Our news and views / “Remembrance of lessons learnt past” for the internet of things

“Remembrance of lessons learnt past” for the internet of things

By PATRICK STEPHENSON

BRUSSELS – In the wake of the WannaCry ransomware worm in mid-May that criminally encrypted some 230,000 computers in 150 countries, artificial intelligence (AI) and computer science experts from across the world gathered at the Digital Festival here on 1 June.

Among the take-aways: 1) the entire country of Estonia could digitally exist even if its territory was conquered, and 2) it’s not enough to train people in cyber-security best practices: devices connected to the internet of things (IoT) must be made inherently safer, too.

Tibor Navracsics, European Commissioner for Education, Culture, Youth and Sport, opened the conference, saying: “Ninety percent of today’s jobs require some level of digital literacy, while digital illiteracy is a recipe for social exclusion.”

Navracsics noted that while the EU doesn’t tell its members how to set up their education systems, “young people need to understand how the technology works, and how it can work for them.” With a nod towards the ‘fake news’ controversy haunting Western elections, he said students must be able to distinguish between “evidence and anecdote” as well as between “fact and spin”.

Later in the day Belgium Deputy Prime Minister Alexander de Croo lauded what the digital revolution has done for development and growth. “Digital is lowering the threshold of entry for everything. It’s much easier to enter the economic field as an entrepreneur,” he said.

But Jo Deblaere, chief operating officer for Accenture in Europe, sought to temper the optimism with a warning. “Somewhere between five and 15 percent of jobs in our economies can be automated, even with current technologies,” he said. The widespread adoption of automation, he said, would mirror previous economic revolutions in that some pain would precede progress. “Each big revolution has [overall] improved the general well-bring of society, but it won’t always be pretty.”

Deblaere called for balancing automation with social well-being, a process he called ‘responsible AI’: “It’s either going to be inclusive, or it’s going to be chaos,” he said.

Discussion moved from economic to security matters in a later panel on security and the internet of things (IoT). Marten Kaevats, chief innovation officer for the Government Office of Estonia, said his country was “a good case study” in protecting national infrastructure from cyber-attackers, pointing to the 2007 attacks — widely believed to have been carried out with the help of Russian state authorities — that disabled large parts of the country’s public and private-sector networks.

Having learned from that experience, Estonia’s networks are now much more secure. “The WannaCry attacks did not appear in Estonia because we had a strong framework already in place,” he said. For Kaevats, the baseline for national cyber-security is a decentralised server network. Estonia has 1800 continuously updated servers set up around the country, all with different settings so they cannot be attacked at once.

But Estonia’s ambitions do not end there. Kaevats said the country is now working to put servers outside the countries in ‘virtual embassies’ across the world. These would use so-called blockchain technology — a distributed database highly resistant to hacking — to host all Estonian government and private-sector information.

“Soon Estonia will be the only country in the world that could exist without physical land,” he said. If invaded, the country “could be reconstituted anywhere, if it had to.”

A panel debate then broke out between Allan Haughton, IoT security lead for Accenture Digital, and Richard Hayton, chief technology officer for Trustonic, a maker of secure apps for mobile phone use. Haughton insisted that the weakest link in any security system “is the human element”. As example, he pointed to the December 2015 cyberattack that partially shut down Ukraine’s power grid — an attack engineered when grid workers clicked on email attachments containing toxic code.

Hayton pushed back. “The human end matters, but you can’t fix it,” he said. “You have lots of intelligent people and lots of stupid people, and the attacker just needs to find the stupid people.” For Hayton, the human element “won’t fix everything. It’s always easy to blame the idiot who clicks on the attachment. But the NHS [the British National Health Service] was still using [Microsoft Windows XP] because they didn’t have the budget to upgrade.”

Instead, Hayton said that while some emphasis on human behaviour remains important, systems must be made inherently more defensive. “They shouldn’t do just what a dumb operator tells them,” he said. As an example, he questioned why hackers had been able to commandeer Internet-connected baby monitors to conduct denial-of-service attacks. “I’m a baby monitor,” Hayton said. “Why should I be doing that?”

In reply, Houghton said, “It’s smart people who get fooled too, not just the stupid people… the human element isn’t stupid people at all. It’s everybody.”

     THE UPSHOT: Cyber-security must include a ‘human element’ trained against opening suspicious email attachments, among other typically dangerous activities. But it is also true that the internet is designed as an open system highly vulnerable to attack, and that devices connected to it are similarly vulnerable – the human element be damned.
     One expert used the example of a TV talk show host taking calls from a viewing audience. When using a landline phone system (a system built defensively, in the expert’s view) if more than one person calls the talk show host, only one caller gets through, and all the others receive a busy signal. The talk show goes on.
     But on the internet, the analogous situation is that the talk show host literally tries to take all the calls at once, causing the phone line to jam and break down. That break down is the essence of the distributed denial of service (DDoS) attacks that often disable banking networks, media companies, and even government agencies.
     Fortunately, Estonia has taken this lesson to heart, and is designing a nation-wide system that is defensive in nature. Other countries may not have Estonia’s well-founded territorial fears. There’s no need for Spain to exist online, without La Mancha. But all the same, the Baltic country’s example is a good one for others to study, and, within limits, even to follow.

     ps@securityeurope.info

Check Also

The EP pushes for international ban on the use of killer robots

By BROOKS TIGNER, with KYLE ATTAR
BRUSSELS – Members of the European Parliament (MEPs) are demanding a ban on weapons that have no “meaningful human control”.The resolution, passed overwhelmingly on 12 September by a majority of the MEPs (566)  is non-binding, however, on the 28 member states but is supported by Federica Mogherini, the EU’s policy chief for security and defence policy. She has already begun an international dialogue to try and bring the world into consensus as to the direction of autonomous warfare. The resolution notes that lethal autonomous weapons (LAWs) are machines without the ability or capacity to make human decisions and, as such, remote operators must take responsibility for life or death decisions. Much like drones, these weapons bring up strong ethical and moral dilemma regarding...