Security teams can’t live on an island in the age of DevOps. Use these 6 tips to win buy-in for change.
Why everyone must play a part in improving IoE privacy
As an Eisenhower Fellow, Dr. David A. Bray recently participated in a five-week professional program that took him out of his normal day-to-day role as CIO for the Federal Communications Commission. While on the Fellowship abroad, Bray met with industry CEOs as well as the Ministries of Communication, Justice, and Defense in both Taiwan and Australia to discuss the “Internet of Everything” and how established industry, startups, public service, non-profits, and university leaders are anticipating and planning for a future in which everything is connected by the Internet.
Bray’s hypothesis going into the Fellowship was that all sectors aren’t preparing nearly enough for exponential impacts ahead, as well as multi-sector issues such as how we continue to protect privacy, civil liberties, security, and democratic processes in the decade to come. His five weeks abroad in a solely personal capacity as an Eisenhower Fellow re-affirmed this view.
In order to effectively prepare for the future, Bray believes it's worth reminding everyone the sheer exponential scale of the Internet of Everything that we will be facing: “We are currently moving from Internet Protocol version four (IPv4), which routes most of the Internet's traffic today, to IPv6. If you took all the Internet addresses possible with IPv4 (232, or approximately 4.3 billion addresses) and put them in a beachball, by comparison all the Internet addresses possible with IPv6 (2128) would approximate the size of our Sun. That’s not linear change, that’s exponential change.”
“From my conversations with leaders in both Taiwan and Australia, we’ll need to think differently about how we approach security and privacy for the Internet of Everything, and understand regular and abnormal 'herd behaviors' across a massive amount of online devices,” Bray remarked.
Since unplugging oneself from the Internet completely is becoming less realistic within an explosion of connected devices, Bray thinks that everyone must play a part in their own personal security, and he sees a digital equivalent of “cyber public health” as a potential path forward in an Internet of Everything era.
The future is already here
One of the biggest takeaways from his meetings in Taiwan and Australia is that the Internet of Everything is being rolled out now, despite the fact that we often discuss it in future terms, Bray said.
“There are already working devices coming out now, and industrial controls that were originally purposed for business-to-business (B2B) use are now connected to the Internet and being made available to consumers. Devices designed for monitoring temperature in an industrial facility, are now becoming consumer devices for the Internet-enabled home,” Bray said.
While this is an exciting trend, it is also presents some concerns.
“Leaders in both Australia and Taiwan raised concerns that, for the most part and with a few exceptions, industrial controls have had less security than TCP/IP – the ‘de facto’ protocol for transmitting data over the Internet – has had. The leaders in both countries also asked me who should be responsible for baking-in security and baking-in privacy into these new controls,” Bray said. “Does it happen at the device level? At the aggregation or cloud level? At the individual application level?”
And those weren’t the only concerns.
“Leaders in both countries asked me who will be responsible for identifying that your grandmother's car has been hacked in the future? Even more importantly, they asked who will be the right person to actually knock on her door and notify her?”
Why a cyber “public health” approach might be needed
While there are no immediate, definitive answers to these questions, Bray did hear some interesting proposals over the course of his fellowship. A recurring conversation that came up with different leaders was around the idea of taking a cyber “public health” approach via an open public-private entity partnership.
Bray, who previously served as IT Chief for the Bioterrorism Preparedness and Response Program at the U.S. Centers for Disease Control from 2000 to 2005, explains that the real world is similar to the Internet in that you can never promise 100 percent immunity to real-world diseases: “Public health exists because even with our best efforts, infectious disease outbreaks do occur in the real world, and we have to rapidly detect, respond, and help treat those effected.”
From his conversations in Taiwan and Australia with industry and government leaders, Bray believes that a cyber public health approach could be a mashup of cyber personal hygiene and cyber epidemiology.
“If we think of the Internet as a series of digital ecosystems where participants need to assume some responsibility for making sure they’re doing their best to keep their Internet devices clean and secure – the digital equivalent of washing their hands – then we can also imagine the need for cyber epidemiology when individual hygiene is insufficient in preventing a mass ‘outbreak’ or individual infection,” Bray said.
His proposal discussed with international leaders includes a near real-time clearinghouse of voluntarily submitted data about the cyber “health” of the Internet across multiple devices. “Similar to how we do public health here at the federal level of the United States where we don’t know who you are specifically, just the signs, symptoms, and basic demographics, a cyber ‘public health’ approach could involve masked data with the best de-identification algorithms possible,” Bray noted.
An open, opt-in model that spans multiple organizations
In his travels, leaders in both Taiwan and Australia were supportive of a voluntary, open, opt-in model. Organizations could share masked, de-identified data regarding abnormal behaviors they’re seeing on their firewalls, routers, and other devices.
“Definitions of what constituted abnormal cyber behaviors would be performed at two levels,” Bray remarked. “The first would be at the level of organizations opting-in to participate by analyzing their own networks for abnormal trends and potential exploits over time. The second would be at the level of an open public-private partnership receiving de-identified data from their networks to create a global assessment of the cyber ‘health’ of the Internet. Within the data, there might be false positives, for example when a software bug occurs or a hardware problem occurs, yet even this data would be valuable because globally you might learn a bug is widespread across multiple organizations and needs to be fixed.”
As the Internet of Things expands into the rapidly accelerating era of the Internet of Everything, Bray doesn't think that any one sector is going to have a monopoly on all the answers or insights.
“At the end of the day, we are all members of the public, and we should all have a say in our new connected lives,” says Bray. “New and open ways of working, especially in public service, will be crucial to finding beneficial solutions for us all.”
- New roles for both CIO and CEO in Internet of Everything era
- Is the Internet of Things an opportunity for the CIO?
Dr. David A. Bray serves as Chief Information Officer (CIO) for the Federal Communications Commission, overseeing the Commission's efforts to modernize legacy systems and transform technology partnerships in telecommunications, broadband, competition, the spectrum, the media, public safety, and security. He was selected to serve as a member of the Council on Foreign Relations and as a Visiting Associate for the Cybersecurity Working Group on Culture at the University of Oxford in 2014.