EY cybersecurity teams believe it’s time for a new take on cybersecurity: a proactive, pragmatic, and strategic approach that considers risk and security from the onset of any new initiative, and nurtures trust at every stage. This is Security by Design.
Rather than avoiding risk altogether, Security by Design is about enabling trust in systems, designs and data so that organizations can take on more risk, lead transformational change and innovate with confidence.
In the constantly growing field of Artificial Intelligence (AI), for example, the need for such an approach is becoming clearer every day. The two most common forms of Machine Learning (ML) that make up this field – unsupervised and supervised – are prime targets for subversion. The outcomes produced by these methods naturally depend on the algorithms that bring them to life. Yet even state-of-the-art algorithms will lead to corrupted outcomes if the data that fed into them is itself manipulated.
Today, not enough attention is paid to protecting the integrity of the data that feeds into ML systems at the heart of more and more mainstream products and services. Cyber-criminals know this and could in principle attack systems by adding, deleting or changing underlying data sets. Most digital systems in place today are already at risk of such manipulations.
However, as AI expands the scope of automated decisions the opportunities for mischief also expand. Take, for instance, flight traffic systems programmed to automatically adjust aircraft velocity or altitude based on potentially adulterated data – or ML software designed to detect medical issues, where corrupted data leads algorithms to ignore signs of cancer. Such deeply undesirable outcomes may only be avoided by implementing adequate data governance, identity and access management protocols at the core of AI systems.
The rising ubiquity of Internet of Things (IoT) devices provides another compelling case for a Security by Design approach. Consumers increasingly rely on IoT products, which they allow into their homes and entrust with often highly sensitive and personal information. Yet there is little to warrant such trust in the way that these devices are typically manufactured.
IoT devices involve three separate steps in their assembly. This process begins with specialized computer chips built with as little engineering or overhead as possible so as not to impact already very slim margins. These chips are then passed onto original device manufacturers (ODM), hired to build on specification, made with a combination of open source and proprietary software. Once again, the aim here is to maximize margins, with little regard for security or performance beyond required functions. Lastly, the consumer-facing brand company loads their own interface and adjusts the devices just enough to ensure they work. At each stage, the focus is on maximizing profits rather than ensuring security or integrity.
This short term, profit-first approach is a sure recipe for disaster. In 2015, a leading automotive brand was forced to recall 1.4 million vehicles after security experts hacked into their car’s infotainment system and demonstrated that almost anyone could access and control key functions including breaking and steering. As car manufacturers and governments worldwide lead a concerted push toward smart cars and cities bolstered by IoT technologies, the need for greater security is evident.
What do these examples have in common? They are no longer simply niche innovations. They are the global networked systems of tomorrow which will themselves become interconnected and will increasingly form the basis of everything we do day-to-day. It is critically urgent that the organizations and institutions developing and using these technologies adopt a Security by Design perspective. Those who fail to do so run a myriad of risks, from financial ruin to structural chaos, culminating in the often-irreparable collapse of trust. A proactive, pragmatic and strategic approach that considers risk from the very onset – and not as an afterthought – can make the difference between those who fail and those who thrive in the Transformative Age.