Report: Privacy Elusive in World Linked by Mobile and IoT
- By Dian Schaffhauser
An annual report published by the Georgia Institute of Technology examined the emerging cyber threats for the coming year, among them: ever-shrinking personal privacy, lackadaisical security considerations in the Internet of Things and a dearth of trained experts to stay on top of cybersecurity considerations for organizations.
The institute has two academic groups focused on cybersecurity — the Institute for Information Security & Privacy (IISP); and the Georgia Tech Research Institute (GTRI), a university-affiliated research center for the United States Department of Defense — and designation by the National Security Agency as a National Security Agency Center of Excellence in Information Assurance.
Recently, almost two dozen cybersecurity experts from the institute, business, government and defense gathered to share their observations about emerging trends in a more connected world. At the same time, the school issued its report on emerging cyber threats for 2016.
In the age of the smartphone, personal privacy is becoming ever less possible. Even as big business focuses on the collection of big data to improve their marketing and other operations, consumers face a growing privacy risk. Their use of mobile devices may offer them convenience, but it also allows organizations to track their habits and movement. Advanced pattern-matching capabilities allow companies to compile remarkably detailed profiles "on even the most private citizens," the report noted. And reversing the trend "will be nearly impossible."
Too often, the report stated, "a person is faced with a choice of agreeing to the slightly distasteful collection of their data or to being completely unable to sign up for a useful service, an entertaining game or connecting with friends through social media." It's an all-or-nothing proposition.
Privacy policies as an antidote "have largely failed." They're not flexible or consumer-minded. Georgia Tech researcher Amy Bruckman and former student Casey Fiesler found that most of us don't read online policies and even if we did for the services and apps we use, it would take us an average of "over 200 hours per year."
Our growing preference for mobile devices over desktop devices means we have become walking, trackable "intellectual property assets" for a wide range of organizations, added Peter Swire, professor of law and ethics in Georgia Tech's College of Business.
The monitoring doesn't stop there. It's matched with a growth in video and signals monitoring within public spaces, paired with data taken from license plates, facial images and smartphone IDs. "Real-world monitoring will increasingly resemble online tracking," the report noted.
The Internet of Things is expected to compound the problem of security and trust, the report asserted. The same is true for other "cyber-physical" interfaces, such as industrial control systems.
As devices enter every realm of industry and consumer life, "security needs to become a higher priority," said A.P. Meliopoulos, a Georgia Tech professor of electrical and computer engineering. "We are seeing the same thing with other physical systems. Transportation, health systems, robotics — everything is converted into the cyber-domain, and that increases the number of entry points for attack."
Manufacturers of IoT devices have shown little attention to security concerns because consumers are price-sensitive. "No one wants to build security into their devices because no one is going to pay more for a secure device," explained Bo Rotoloni, co-director of IISP. "So these device manufacturers do not naturally have security in their mind set, which leads to an engineering staff who are not properly trained."
Industrial control systems (ICS) face comparable problems. Whereas fewer than 10 vulnerabilities in in ICS were reported annually through 2010, in 2011, nearly 50 were made public, and that grew to 100 by 2013. The exploitation of those weaknesses rose from six in 2010 to 19 last year, the report stated.
This year Georgia Tech began work on creating a "penetration-test-in-a-box for the Office of Naval Research, specifically directed at ICS. This solution is expected to offer an "end-to-end system that can automatically detect, and adapt inside new systems and networks," said primary investigator Wenke Lee. That project is expected to be completed by 2018.
Pushed by the messes left by high-profile data breaches, company executives have finally acknowledged the need to pay attention to cyber security. But a lack of highly trained experts is forcing organizations to adopt cloud-based or outsourced security services.
Many institutions, including Georgia Tech, have introduced new degree and certification programs to increase the number of people going through cybersecurity courses; but "more will be needed," the report stated.
"As we get people who are more aware of security as a problem, then decisions about strategy and approach are going to improve," said Fred Wright, principal research engineer at GTRI. "And rather than a head-in-the-sand approach, the whole organization will drive toward a more secure posture."
Added Noah Tobin, a research associate at GTRI's Cyber Technology and Information Security Lab, threats don't simply include those posed by "disgruntled workers," but also the ones created by "well intentioned" people who don't understand security and open a phishing e-mail they shouldn't.
The report cited numbers from Frost & Sullivan and the International Information Systems Security Certification Consortium (ISC)2, which estimated that a lack of trained security experts will result in a shortfall of as many as 1.5 million workers by 2020. Even as we begin to see "IT everywhere," we don't have the staffing needed to safeguard it, said Mustaque Ahamad, professor in the College of Computing at Georgia Tech.
As a result of that gap, the report predicted, organizations will turn more frequently to external solutions, such as "security-as-a-service," which allows a "single expert to maintain and administer multiple clients" using sophisticated automation tools. For example, Dell SecureWorks, one such service provider, sifts through "more than 150 billion events a day" for 4200 clients and distills them down to about 10 billion unique security events, which are analyzed and reduced to fewer than 5000 potential attacks that require a response.
The report is available for download on the Georgia Tech site here.