By Michael Balfiore, contributor, and Sara Downey, thought leadership, Dell Technologies
Will quantum computing break cybersecurity? How much responsibility should individuals have for safeguarding their data? How can organizations foster a culture of security? In May, cybersecurity experts convened on a panel at Dell Technologies World to answer these questions and more.
Participants included data scientist Chris Wylie, best known as the Cambridge Analytica whistleblower, Bhavani Thuraisingham, founding executive director of the Cyber Security Institute at the University of Texas at Dallas, and Vivek Tiwari, vice president of Product Assurance and Security at Intel.
Their conversation was moderated by John Scimone, president and chief security officer at Dell Technologies. He asked the panelists to weigh in on what they see as today’s gravest security challenges—given that, as Scimone mentioned frankly, cyber threats are getting worse each quarter, by every measure.
The data threat
We’re living in the data age. On the one hand, we’ve never created and captured so much data. On the other, there are gaps in our data sharing. Companies are still reluctant to share their attack data. As Thuraisingham notes, this is problematic. We need this intelligence to identify groups of threats that behave similarly and use these discoveries to predict an attacker’s next step.
There was general agreement that the proliferation of data represents a double-edged sword. Wylie cited the weaponization of information as a significant threat. “If you radicalize people, and those people then go on to commit harm, you’ve created a weapon,” he said.
Scimone called out the mushrooming of data created by the ever-expanding internet of things as another challenge to security. “The explosion of technology devices creates exponentially more potential to do really good things,” he said, “but also really nefarious things.”
Thuraisingham agreed. “We’ve got data arriving continuously, so machine learning models have to change,” she said. “We [have to] come up with dynamically changing models,” she said of artificial intelligence (AI) designed to fend off attacks.
The AI paradox
When it comes to AI, the panel noted an interesting paradox. Tiwari talked about “AI for security” and “security for AI.”
AI—the very technology that can help threat detection solutions find anomalies in the network and act as a co-pilot in secure development, secure coding and secure assurance—can also be wielded by cybercriminals. The same technology that protects companies could also be used by hackers to inflict unrelenting, automated attacks that any human would struggle to combat, as well as represent a new set of “attack surface” that hackers can manipulate and exploit to cause the AI systems to have unintended effects.
As a path forward, Tiwari talked about protecting the models and data that are integral to AI algorithms, using confidential compute, secure enclaves and trusted domains. He cautioned that these measures need to be built into every product as every product now has AI.
“When it comes to the general population, I think it’s actually unfair to expect that people should become more security conscious.”
—Chris Wylie, social researcher and data scientist
Whose responsibility is it?
While secure product development is foundational, the insider threat is also a cogent factor. Scimone noted that he found the stat in Dell’s recent Breakthrough study, showing more than half (52%) of workers have not meaningfully improved their security awareness/behavior after hearing about high profile cyberattacks “a little disheartening.”
According to Tiwari, businesses can move the needle by building a culture of security. This culture starts with leaders clearing articulating the security strategy, vision and principles. Then you need to provide processes to enable employees to implement these. For instance, with secure development lifecycle. Of course, you need a robust training program which is tied into the company’s recognition system metrics to gauge your security culture’s effectiveness.
Tiwari emphasized that security is the responsibility of everyone in an organization. Wylie disagreed.
“When it comes to the general population, I think it’s actually unfair to expect that people should become more security conscious,” Wylie said. Instead, Wylie essentially argues that safety standards should be built into digital technologies just as they are with physical products.
The privacy conundrum
Noting that Dell Technologies World 2022 took place in Las Vegas, a city known for extensive video surveillance in its casinos, Scimone asked the panelists for their opinions on how to weigh security concerns against the need for privacy.
For Tiwari, it comes down to clear, transparent and enforceable policies. “I think as long as you work within those principles and guardrails, you can find the right technological solutions to address those things,” he said of balancing privacy and security. “And be ready to have that engagement with government agencies, with policy bodies, because you have to do this openly.”
Thuraisingham returned to AI’s prevalence as a reason why trustworthy AI is so important. If it’s in most products and making decisions based on the data it collects, it needs to be secure, private and fair.
Wylie noted that a vital element getting lost in most privacy discussions is the idea of human agency. “When we’re creating systems that constantly are collecting data, and then using that data to start to alter information in front of you,” he said, “those are starting to scratch at fundamental things about who you want to be as a person, how you want to interface with society.” In other words, people using such systems risk losing their autonomy. “How do you grow as a person when you’ve got an information system that is constantly deciding things for you?” he asked.
10 years from now
Looking ahead at the next five to 10 years of cybersecurity, Tiwari said he expected challenges to include physical security, supply chain attacks and weaponized AI. Even so, he sees the threat landscape improving for businesses and individuals thanks to dedicated efforts to combat attacks.
Thuraisingham worries about quantum computing in the hands of future attackers. “I dread to think what’s going to happen to cybersecurity—although it’s going to help with ransomware.” That’s because the brute force computing power promised by quantum computers threatens to smash all existing encryption schemes.
Thuraisingham is encouraged by ongoing work on post-quantum encryption but considers getting more talent into the field, including women and people of color, as vital to success.
“It’s a very monolithic industry,” Scimone agreed. “In five or 10 years, we should look very different and have a lot more horsepower on our side.”