2018 has kicked off not so well with the outing of basic flaws in the worlds core technology. Spectre and Meltdown show new threats to companies building complex machines and systems to run our lives and upon which we are encouraged to become more and more dependent.
The issues allowing Spectre and Meltdown are built into the basic design of the systems, meaning that these vulnerabilities bypass our software security measures. It is not just desktops or your laptop or only at work, it’s the whole system – mobile, cloud, IoT, servers, tablets…all technology.
Why were these now seemingly basic flaws not noticed years ago?
Our computer systems are growing in complexity and with more and more layers and interaction, the complexity is outstripping our ability to fully understand how it all works. The systems are built to rules and standards that have not been security tested as a whole. Add this to that, put in one of those, add some software, connect to a router, voice enabled and with none of these devices and systems being tested for security from the ground up in design. They are all built to the same standards and using standard components
As we use this complex technology and leave it online, connected into new and old systems, they are providing a tempting target for hackers. This target will be further complicated and expanded with the growth of the Internet of Things (IoT), as we build capabilities into all our devices, tools, home appliances, cloths and garden furniture, all in the name of making our lives easier. With this ‘ease’ comes ever more complexity and as it turns out higher risks.
Market researcher IHS Technology estimates the number of devices using IoT technology will reach 53 billion by 2020, and this is early days – just like the spread of electric power in the 1800’s, the spread of IoT and AI is only just starting.
With this growth so goes the exponential growth in cyber-attacks. Not only attacks of a more traditional nature but now we are to contend with attacks that cannot not be fully detected as the ‘security hole’ being exploited was built into the base design of the computers and systems.
This is the basis of the Meltdown and Spectre attacks which come from combining unrelated design features that were thought to be well understood. Computer science 101 if you like. The attack was not via one individual system or but through the interaction between them, the complexity that humans think they know, but don’t. Its outside our capabilities or understanding.
It’s a bit like Move 39……
The move occurred in a Go match between AlphaGo and Lee Sedol, one of the world’s top players, in 2016. As he approached the match series he was confident. He lost the first match, but he thought he knew why. In the second match we got to move 39 played by AlphaGo. The move perplexed not only Lee but all the commentators saying they would not have played the move, many thought it was a mistake. This was outside the collective expert’s knowledge. It was highly unlikely that any human would have played the move.
However, it was this move that caused the loss of the game. In review afterwards Lee Sedol said that he now has a new understanding of the game of Go through these matches with AlphaGo and respect of the machine. After playing, and losing to Alpha Go, he went on to win more and more games with this new understanding.
Go, a game played by millions, and for centuries, has been given new insights by a machine. This same reasoning should be applied to our security world, developing new mathematical models that will understand the complexity and show us Move 39 before it hits us hard.
Machines see the world differently to us. A machine, like AlphaGo, can see many more moves than any human. New machines need to look at our complex world and model our security in partnership with humans.