Am I safe sitting at home with my pacemaker? Am I safe shopping online? Am I safe when I am using my web-cam enabled computer?
These are all real concerns brought up by audience members at the Computing Community Consortium (CCC) scientific session at the 2019 American Association for the Advancement of Science (AAAS) Annual Meeting in Washington, DC. This session called Cybersecurity: Transcending Physics, Technology, and Society was moderated by CCC Chair Mark D. Hill (University of Wisconsin-Madison). The speakers were Kevin Fu (University of Michigan), John Masters (Red Hat), and Zeynep Tufekci (University of North Carolina at Chapel Hill).
Kevin Fu started the session by asking the audience what happens if your oven broiler turns on every time your phone rings. Is that a problem? Yes, a big one. So how can we prevent hackers from theatrically doing something like this in the current Internet of Things (IoT) environment that we live in? It is not possible to blindly test all sensors all the time. As Fu explained, computers today are vulnerable to analog cybersecurity threats. If we keep removing the human in the loop, we will have to keep solving more and more security challenges. He was asked by an audience member if there are regulatory frameworks for these issues and said “No, not really. These issues are about 5-10 years out. For defense, medical devices, regulations can work, but IoT is consumer driven, so security gets left out.”
In John Masters’ talk he explained that if you trade performance for security, it will lower the overall performance because of the associated risk. Similar to what Fu was saying, Masters explained that in order for us to prevent future Spectrum and Meltdown issues, we need vendors to care, which is a “challenge for industry to solve.”
Finally, in Zeynep Tufekci’s talk she reiterated the importance of having security being built into all new products, as you never know the access points for finding information out which may be harmful, even out of context. We need everyday devices and everyday computers to be hard to hack. A physical switch is key. We can’t rely on an assumed “off” since that could be hackable. It is critical that in order to protect all people, “every company should be in the business of cybersecurity.”
So, yes, you are safe at home with your pacemaker. As Fu said, “if I was prescribed a pacemaker, I would take it. The risk of not having one is much greater than having one.” Just like with online shopping and using a web-enabled computer, there is risk but if you are smart – for instance, by using Masters’ recommendation that when shopping online you should only use one credit card with a low limit – you will be fine. We are just at a point where industry needs to recognize that security is an important feature that should be considered in all new smart technologies.
For more information see the CCC@AAAS website.