In a recent survey by the Canadian Internet Registration Authority on the state of cybersecurity preparedness, 88 percent of respondents said they were concerned about future cyber attacks, while 37 percent admitted that they don’t have anti-malware protection installed. With these troubling statistics in mind, there was no better time for this week’s RBC FutureMakers Talks event on the shifting landscape of cybersecurity.
The evening started with RBC’s Laura Evertsen, senior director of IT application resiliency in global cybersecurity, who stated that, in 2017, Canadian firms spent $14 billion on cybersecurity, yet 21 percent of Canadian business had a cybersecurity incident. “Money is not necessarily a solution, and banks and financial institutions are the number one target,” she said.
Evertsen also emphasized that the key for businesses to fight back against cyber-criminals is to keep evolving and expanding cybersecurity capabilities, as well as addressing the lack of public knowledge around what needs to be done to keep data safe.
“If somebody hacks my phone or my computer, they’re threatening my privacy and my data. If somebody hacks my car, my privacy and my data are the least of my concerns.”
The keynote, delivered by Alex Manea, chief security and privacy officer at Georgian Partners and past CSO of BlackBerry, was an illuminating look at how technologies like AI and IoT will figure into cybersecurity – both as a benefit and a threat.
Often seen as something like the Terminator, Manea clarified that AI is more accurately “the thing that helps us pick cool new movies on Netflix.” But Manea believes that the real benefit of AI lies in how it can help people sort and triage cybersecurity issues. “There are hundreds of thousands of threats every single week, but there’s a limited supply of security analysts,” he said.
Even though a lot of those threats are false positives, like a password change, AI can sort out priority issues for humans to act on, especially since the sheer volume of issues requires more attention than the current analyst workforce can provide.
The Internet of Things is where cybersecurity gets tricky, Manea noted, who provided examples of how his past team at BlackBerry once hacked a tea kettle in order to obtain encryption keys stored in plain text. The easy hack shows how IoT changes the risk model of devices, making vulnerabilities so much more dangerous than just a privacy risk. “If somebody hacks my phone or my computer, they’re threatening my privacy and my data. If somebody hacks my car, my privacy and my data are the least of my concerns.”
— BetaKit (@BetaKit) October 30, 2018
Shu Wang, chief security officer at Decentral, tackled a topic that many people tend to think of when it comes to cybersecurity: blockchain, and how easily it can be exploited. “The blockchain world is still the wild west,” he cautioned, “and code is the only law.” While people are interested in blockchain because its immutable nature can secure data transactions, damages made from hacking and mistakes are non-reversible.
As an example, Wang pointed to an event from GitHub in 2017, where an anonymous user “accidentally killed” their smart contract (a persistent code stored in the blockchain). This led to the discovery of a fundamental flaw within the initial library contract – because it was not properly initialized, anyone could set themselves as the owner, and so anyone could hit the self-destruct button. To this day, those multi-million dollars in cryptocurrency have been locked away forever.
— Arthur Ye (@mrarthurye) October 30, 2018
It’s not all bad news for blockchain; Wang noted that although there are new forms of attacks against the systems, the fundamental principles are similar. As such, there are sensible solutions when it comes to protection, including threat modeling to identify what core data needs to be protected the most, recognizing which code needs to be reviewed and audited for info leakage, and undertaking regular security testings for new vulnerabilities.
“Just because we have traffic accidents doesn’t mean we have to abandon cars,” said Wang.
A pair of RBC employees – SecDevOps engineer Naba Siddiqui and senior security developer Peter Barkley – were next to address the room, discussing how companies can securely develop within their framework without having to be afraid of being hacked.
— CC (@krine18) October 30, 2018
Similar to what Manea’s AI discussion, although microservices can be protected by TLS proxies, they still need internal teams (of humans!) to monitor them and check for anomaly detection. Security analysts aren’t obsolete quite yet.
The pair concluded that security should be baked into the deployment pipeline (“and not as an afterthought”), that it should seamlessly integrate with the development process, and that it should grow iteratively – the deployment pipeline should not be blocked unless absolutely necessary. Although it sounds like a trickier process to ensure that deployment happens without risk of security breaches, as Barkley stated, “trust is the core of cybersecurity.”
Rounding off the evening – and connecting cybersecurity to real-world applications – was Shawna Coxon, Deputy Chief at Toronto Police Services, who focused on how partnerships in non-traditional areas can create new and valuable perspectives. “Whoever can innovate fastest gets ahead,” she said, and gave the example of how TPS embedded a police officer into the DMZ tech accelerator, and then ran a hackathon that ended up creating a useable procurement model.
Likewise, Defcon worked with TPS to create a “Missing Person Capture-the-Flag” in Toronto; the pair used the national missing persons registry and asked people around the world to try to find any of the missing people using open source information online. What resulted was key evidence found for three different cases.
“Think about what’s possible in the cybersecurity realm by bringing together people who think differently,” Coxon said. “Bring in people you might not have even considered to look at problems. See how they’d view what you’re doing, and work with people you haven’t worked with before.”
“Ask yourself: what’s a way you could think about this differently?”
BetaKit is a FutureMakers media partner.