Are We Looking at Our Last Chance to Get IoT Security Right?

The Internet of Things is growing and so is the risk of exploitation.

 

Time is running out on setting security standards for the Internet of Things. The President’s National Security Telecommunications Advisory Committee (NSTAC) has examined the cybersecurity implications of IoT and has determined that there is a small — and rapidly closing — window to ensure that IoT is adopted in a way that maximizes security and minimizes risk.

While the adoption of IoT is increasing in both speed and scope, and will impact virtually all sectors of our society, NSTAC warns that if the country fails to develop and use security standards, “it will be coping with the consequences for generations.”

The President’s Commission on Enhancing National Cybersecurity reached a similar conclusion: “The IoT facilitates linking an incredible range of devices and products to each other and the world. Although this connectivity has the potential to revolutionize most industries and many facets of everyday life, the possible harm that malicious actors could cause by exploiting these technologies to gain access to parts of our critical infrastructure, given the current state of cybersecurity, is immense.”

IOT SECURITY IS A PUBLIC, PRIVATE AND INTERNATIONAL CONCERN

To reduce such risks, the National Institute of Standards and Technology (NIST) Draft NISTIR 8200 Report has kept the door wide open for private-sector comments for developing much needed global IoT security standards. With IoT breaches increasing constantly, this comment request may have been just in time. 

IoT is everywhere and, if exploited by hackers or terrorists, could cause physical damage, including critical infrastructure devastation, human harm or even death. This puts standard groups in a precarious position of requiring international agreements on how to address IoT security on a global basis.  

There is an added concern with the interaction of IoT processes and unseen machine actions. For example, Intrusion Prevention System (IPS) security requires specialized authentication, validation, encryption and process management capabilities that are not necessarily possible under current cybersecurity standards. 

In encryption alone, two issues repeatedly come up, according to the NIST. First, IoT has limited processor and memory space that restricts high-end encryption hardening while extending connectivity to millions of new system process endpoints. Second, current authentication and encryption technologies were not designed to be implemented under these criteria. 

IoT offers deeper learning, systems actions and connectivity, which in turn requires security methodologies that can interoperate across all systems. These needed capabilities require security methodologies that can operate effectively across all hardware, network, protocol and software platforms with the added processor limitations and multi-protocol requirements of IoT. 

Securing IoT is a tall order. The comments on the NIST Draft show changes need to be made in existing standards with the potential of deploying completely disruptive cybersecurity technologies to achieve IoT security.    

CAN IOT SECURITY FIX ALL CYBERSECURITY?

IoT security is not typical security. It sometimes adds an entire layer of process events to an already complex operating system. Many processing systems already have security issues. Adding IoT to them could open additional weaknesses. This is the “weakest link” scenario, in which the smallest IoT device could cause catastrophic consequences. 

There is an advantage to learning how to secure IoT. If a small IoT action can be secured at the processor level of an operating system, then the same techniques that require low overhead millisecond security can be used in a variety of system process applications. IoT security could be the learning process needed in achieving complete system process security.     

Finding the answer to IoT security requirements isn’t easy. The physical application of IoT requires many different human and machine security authentications while extending process intelligence and events throughout the system. This extension is often connected to system processes that already have security concerns, such as cloud applications and even locally isolated IoT ecosystems used in DDoS attacks. Obtaining a solid IoT security platform could be a road map in addressing all forms of cybersecurity. From encryption hardening to deep process learning, if you can secure IoT you can secure anything. 

NOW IS THE TIME TO GET IOT SECURITY RIGHT

The Interagency International Cybersecurity Standardization Working Group offers an interesting direction for national and international standards evaluation of IoT. Global public- and private-sector IoT applications could be greatly affected in IoT cyber-attacks. This presents NIST with the daunting task of addressing the best technological solution for IoT security while still addressing the political and corporate influence already in existing cybersecurity standards. 

With the private sector pointing to big problems with IoT security and the International Organization for Standardization (ISO) rejecting NSA IoT encryption algorithms, this could be the time for getting IoT security right. It could happen through government guidelines and regulations involving global standards bodies, such as ODVA, OPC and ISA; or it could happen through industry groups, such as the Internet Engineering Task Force (IETF), the Industrial Internet Consortium (IIC) security working group, or IEEE. The world understands the importance of securing IoT devices and systems, and NIST is in the forefront of this need.

Now starts the hard work. We need to get these standards right and fast. IoT security answers many of the problems existing that multiple cyberdefense systems can’t answer on their own. Data at rest, motion signature and key algorithms are all vulnerable to attack. So, too, is key and signature theft under current security technologies. These same signatures and keys multiplied by billions of IoT devices cannot be managed. Viewing and validating the smallest digital event must be addressed with a speed and accuracy that’s never been available in current cyberdefense technologies.   

Security environments are already having scalability, monitoring, management and cost issues. IoT offers a whole new extended endpoint in processes that will require deeper and easier managed monitoring and security methodologies. IoT security experts must find a way that allows this to be done at the deepest, most complex systems while adding needed process security simplicity. 

This may require a different way of thinking in an industry that is reaching a level of complexity and employment it can no longer sustain. The comments section of the NIST Draft offers an opportunity to respond to these IoT security needs in a public- and private-sector forum. Both sectors need to participate and collaborate in addressing the global requirements of IoT security.    

STANDARDS ON STEROIDS 

Public- and private-sector participation in cybersecurity needs to continue. We all will gain by working together on this issue. There is no better picture of this than securing IoT. In fact, it requires international cooperation in many applications while still offering unique or even proprietary requirements for national defense and critical infrastructure. 

There must be a balance of authentication, privacy and security on both the human and machine level. We no longer can afford to use Band-Aids on legacy security standards. We must search and deploy security designs that don’t delay but fix the problem. By choosing the right capability, we can address this. 

IoT has the worst security record in the industry and little has been done about it. We need to find a different way of getting the job done if we are to catch up in the race to cyberdefense. IoT’s vulnerabilities have forced standards groups like NIST to think outside of the box of tweaking old standards into a whole new proof of concept era. We need to catch up in cyberdefense technologies and having a public-private collaborative approach just may be the answer. We have been given the opportunity. We must now change the opportunity to action.

Larry Karisny 

---

Larry Karisny is the director of Project Safety.org, an advisor, consultant, speaker and writer supporting advanced cybersecurity technologies in both the public and private sectors.

IoT Is Changing the Cybersecurity Industry

Despite a less-than-stellar record to this point, the Internet of Things space is forcing companies to think holistically about the security behind their devices.

BY LARRY KARISNY / JANUARY 16, 2018

It’s odd that the Internet of Things (IoT) industry — an industry with a dismal record of cyberbreaches — would be the one moving cybersecurity forward, but that is exactly what is happening. With regulation looming and the bad press from recent breaches, there is no longer a choice: Better IoT security is a must. I will be speaking at the IoT Evolution Expo in Orlando this month on this very subject, and thought I'd give you a sneak peek.  

IoT Security Gets a Failing Grade

If I remember correctly, 50 percent is a failing grade and yet, nearly 50 percent of IoT companies reported some type of security breach in recent memory. This shocking reality confirms that something needs to be done to improve IoT cyberdefense — and quickly. I cover a lot of areas in cybersecurity and know of no other industry with such a bad track record of breaches. Though these hacks expose data, not all of it has value. Sometimes an IoT hack garners useless data and offers no intelligence to use in an exploit, denial of service or machine control attack. The better news is that there are, at last, cyberdefenses coming to market that can address the need for solid IoT security.

New Cyberdefense Technologies Needed for IoT

IoT is different and has the potential to change everything. It is the new extended edge that allows unprecedented applications and intelligence with tremendous economics and accuracy.  These tiny devices are the next step in physical artificial intelligence (AI). I stress “physical.” They are out in the real world telling both people and machines what they need to know and need to do. If hacked, they can manipulate or destroy physical things with impacts that can extend to entire economies or worse cause loss of life. IoT is not just a database. IoT it is an actuary in the physical world that must be authenticated, validated and secured or risk the potential for very real danger.

Deep IoT Needs Deep Security 

There’s no room for a standard encryption file sizes or even simple processor updates patches in IoT. These tiny devices were built around minimal battery life that required tiny low-powered processors with minimal flash memory. This limitation has pushed the entire cybersecurity industry to rethink how we currently secure all digital technologies. We are beginning to see the successful deployment of these new security technologies today. If we are going to have deep learning in artificial intelligence and IoT we need to have deep security as well. IoT is pushing new security technologies toward achieving this goal. 

The Enhanced Blockchain IoT Security Fit.

Today’s centralized security models require high infrastructure and maintenance cost associated with centralized clouds, large server farms and networking equipment. The sheer amount of communications that will have to be handled when IoT devices grow into the tens of billions will create bottlenecks and points of failure that can disrupt the entire network. Decentralized blockchain technologies could address these limitations, though blockchain alone is not a complete solution. As a principal in a company offering enhanced blockchain security, I am aware that blockchain alone is promising, but it is not the total answer. Just like current layered security architectures today, what we need in blockchain is a secure and safe IoT where privacy is protected. Enhanced blockchain-layered security technologies can offer this.

Revolutionize or Regulate

It is always better to self-regulate, and I hope the IoT industry gets that opportunity to find security solutions on its own. In working with cybersecurity entrepreneurs, I find that compliance and regulation seem to never catch up to the pace required by cyberdefense technologies. Billions were spent in security compliance of the smart grid. And while these security guidelines have value, at the end of the day, compliance does not mean you are secure. Hackers change things daily while compliance recommendations can take years. Cyberdefense needs to be more proactive, as does the matured working technologies that need to be used.  

Preparing for Post-Quantum

Quantum computing and IoT have a very bright future. I stress “future” because there are a lot of issues that need to be addressed prior to quantum computing and IoT working together. Quantum computing in the short-term though will have the processing power to crack any static encryption algorithm. Solutions of more complex encryption algorithms with larger files sizes will work for IoT or really any other industry. In my last article, Is Cybersecurity Encryption Ready to Break?, I discussed the importance of looking for new low-overhead encryption technologies. 

The IoT security opportunity

IoT suppliers that have a future will be the ones that invest in the security of their products. Even venture capital startups are clearly aware that they need to secure their IoT applications. If they do not, they could lose customers, spend money on regulatory issues or, worse yet, be involved in legal action against them. The smart IoT suppliers are embarrassing security and advertising it, even if it involves a premium price. They are beginning to find that customers will pay the premium. There are even IoT enterprise, managed services and cloud computing companies getting into the game offering their own solutions. IoT security is not a matter of choice anymore, it is a requirement.               

 

Larry Karisny is the director of ProjectSafety.org, an adviser, consultant, speaker and writer supporting advanced cybersecurity technologies in both the public and private sectors.

Is Cybersecurity Encryption Ready to Break?

Cyberattacks are already bad today. But what if all encryption didn’t work? We are reaching a point now where global adversaries can crack encryption, and will be able to crack all encryption in the near future.

BY LARRY KARISNY / OCTOBER 6, 2017

SHUTTERSTOCK/CREATIVE-MATERIAL

TODAY'S CRYPTO DILEMMA

From mismanaged encryptions keys and system errors to eventual crypto cracking, Public Key Infrastructure (PKI) encryption has increasingly become more difficult to maintain as the needs for these encryption services exponentially increase.

Security adviser Roger A. Grimes has been installing PKIs for private and public companies for more than two decades. In a 2015 CSO article, 4 Fatal Problems with PKI, he discussed why PKI has too many moving parts. Even when it works perfectly, it doesn't solve the biggest security problems. Eventually it will stop working forever.

The complexities of these systems require the deployment and management of certificates, registration authority, directory management, digital signatures, key protocols and key validation. These systems are so complex that they are seldom installed properly and have so many errors that system operators often ignore them.  

RELATED

Industrial Control System Security: a Reliability Issue?Securing the Intellectual Property of Smart Grid SecuritySmart Grid Security: Generally Speaking, the World Doesn't End

In addition, Internet of Things (IoT) security providers are finding that PKI may work in Web applications but clearly were not designed for IoT devices. IoT processors are often so small that they don’t have the ability to update key certificates or embed any type of encryption at all. With encryption file sizes constantly increasing and the number of IoT connections reaching the billions, PKI encryption is effectively dead for IoT. 

POST-QUANTUM ENCRYPTION

With recent advances in quantum computing, there needs to be a focus on developing encryption that will not have its algorithms cracked, opening up a Pandora’s box of hacking. 

The National Institute of Standards and Technology (NIST) has been studying this problem and is focusing on post-quantum encryption solution proposals still open in its Post-Quantum Cryptography project. Although it is great to see NIST understanding the urgency of this potential crypto-cracking dilemma, there are industry experts that disagree with their approach. 

Recently there was an interesting debate among security industry professionals on the respected blog Schneier on Security. It was in response to a post about a research paper on RSA cryptography after quantum computing.

The researchers’ answer: Just make the encryption key algorithms bigger, more complex and more costly. How big? Using the calculations of the readers, a one-terabyte public key. Since IoT hardly has space for kilobytes, this is just not the direction to go. Not only will these resources hogging crypto-algorithms take valuable processing space, they will also use network resources and take longer.

HACKING STATIC ENCRYPTION AND PATTERNS

Over the years I have reviewed hundreds of cybersecurity companies. The people that normally have the best solutions are the ones that already know the problems coming from current technologies. Sadly, they often need to wait until the problems come before they can get people’s attention and offer different solutions. 

The real problem in current cryptography is the very thing that makes the technology work. A hacker can identify and exploit the encryption repeating processes to crack the system and take control. Today’s encryption algorithms are static in nature, repeating processes over and over. Their behaviors are expected. Patterns are anticipated. In fact, hackers today are using artificial intelligence to quickly define these patterns. This is why quantum and super-computing can hack current cryptology.

THE FIX?

There is a solution to this problem. Successfully accomplished, patented and deployed by a company called MerlinCryption, the Anti-Statistical Block Encryption (ASBE) leverages dynamic algorithmic complexity and employs stochastic randomization in many aspects of its encryption process. Because all output is variable, there is no static behavior to monitor. 

The key word is variable. Even a quantum computer cannot crack this encryption that protects data as it is created, viewed, edited, shared, stored and moved across any communications channel or in the cloud. The key then vanishes after use, leaving no trace of the encryption process.

Authentication is also an important part of security. Most authentication factors are based on something you know, something you have or something you are. Attackers can imitate the authentication rights of employees or systems to gain access and control. MerlinCryption has innovated a new fourth category of authentication factors using information that is temporary and always unique. These factors are not deterministic, but stochastic in nature. 

Finally, MerlinCryption offers true end-to-end, person-to-processor and processor-to-processor encryption and authentication. Its smallest key is more than 10522 stronger than AES’s 256 bit key. There’s good news for IoT providers too. It offers a 58 KB Low Overhead Platform with a 284 KB Embedded Encryption Platform that can fit in the smallest microprocessors. Oh, it’s cheaper too. Not bad.   

THE CLOCK IS TICKING

I seldom focus on encryption solutions because, as we are aware in the cybersecurity business, it addresses only a part of the problem. The potential of breaking all authentication and encryption is serious though. Allowing cyberattackers a wide-open cyberdefense without minimally hardening our systems would be catastrophic. It would allow cyberattackers to strike at will. 

It’s nice to end an article discussing all the problems in a specific area of cybersecurity and then detailing immediate solutions available. The warnings we are getting from both the private and public sector in IoT security issues is chilling. I will be speaking at a major IoT convention about this very issue. The question is: Are we going to talk about it, or do it?

Larry Karisny is the director of ProjectSafety.org, an adviser, consultant, speaker and writer supporting advanced cybersecurity technologies in both the public and private sectors. He will be speaking at the IoT Evolution Expo in Orlando, Fla. on Thursday, Jan. 25, 2018 from 10-10:55 a.m. discussing IoT security strategies.

The Race to Cyberdefense, Artificial Intelligence and the Quantum Computer

The power grid, oil and gas, and even existing telecoms are perfect targets for funding and development of these technologies.

By Larry Karisny August 8, 2017

SHUTTERSTOCK

I've been following cybersecurity startups and hackers for years, and I suddenly discovered how hackers are always ahead of the rest of us — they have a better business model funding them in their proof of concept (POC) stage of development.

To even begin protecting ourselves from their well-funded advances and attacks, cyberdefense and artificial intelligence (AI) technologies must be funded at the same level in the POC stage.

Today, however, traditional investors not only want your technology running, they also need assurances that you already have a revenue stream — which stifles potential new technology discovery at the POC level. And in some industries, this is dangerous.

Consider the fast-paced world of cybersecurity, in which companies are offered traditional funding avenues as they promote their product's tech capabilities so people will invest. This promotion and disclosure of their technology, however, gives hackers a road map to the new cyberdefense technologies and a window of time to gain knowledge on how to exploit them.

This same road map exists for technologies covered in detail when standard groups, universities, governments and private labs publish white papers — documents that essentially assist hackers by giving them advanced notice of cyberdefense techniques.

In addition to this, some hackers receive immediate funding through nation states that are coordinating cyberwarfare like the traditional military and others are involved in organized secret groups that fund the use of ransomware and DDoS attacks. These hackers get immediate funding and then throw their technology on the Internet for POC discovery.

HOW NOT TO DO CYBERDEFENSE

One project that strongly makes a case for rapidly funding cyberdefense technologies in an effort to keep up with hackers is the $5.7 billion U.S. Department of Homeland Security's (DHS) EINSTEIN cyberdefense system, which was deemed obsolete upon its deployment for failing to detect 94 percent of security vulnerabilities. As this situation illustrates, the traditional methods of funding cyberdefense — taking years of bureaucratic analysis and vendor contracts — does not work in the fast technology discovery world of cyberdefense. After the EINSTEIN project failure, DHS decided to conduct an assessment — it's currently working to understand if it's making the right investments in dealing with the ever-changing cyberenvironment.

But it also has other roadblocks, as even large technology companies and contractors with which DHS does business have their own bureaucracies and investments that ultimately deter the department from getting the best in cyberdefense technologies. And once universities, standards groups, regulation and funding approvals are added to these processes, you're pretty much assured to be headed for another disaster.

But DHS doesn’t need to develop these technologies itself. The department needs to support public- and private-sector POCs to rapidly mature and deploy new cyberdefense technologies. This suggestion is supported by what other countries are successfully doing — including our adversaries.

MAKING THE CASE FOR POC FUNDING

The same two things that have motivated mankind all through history — immediate power and money — are now motivating hackers, and cyberdefense technologies are taking years to be deployed. So I'll say it again: The motivational and funding model of cyberdefense technologies must change. The key to successful cyberdefense technology development is making it as aggressive as the hackers that attack it. And this needs to be done at the conceptual POC level.

The concern in cyberdefense (and really all AI) is the race to the quantum computer.

Quantum computer technologies can’t be hacked, and in theory, its processing power can break all encryption. The computational physics behind the quantum also offer remarkable capabilities that will drastically change all current AI and cyberdefense technologies. This is a winner-takes-all technology that offers capability with absolute security capabilities — capabilities that we can now only imagine.

BARRIERS TO CYBERDEFENSE POC FUNDING IN THE U.S.

The most recent funding source for hackers is Bitcoin, which uses the decentralized and secure blockchain technology. It has even been used to support POC funding in what is called an Initial Coin Offering (ICO), the intent of which is to crowdfund early startup companies at the development or POC level by bypassing traditional and lengthy funding avenues. Because this type of startup seed offering has been clouded with scams, it is now in regulatory limbo.

Some states have passed laws that make it difficult to legally present and offer an ICO. While the U.S. seems to be pushing ICO regulation, other countries are still deciding what to do. But like ICOs or not, they offer first-time startups an avenue of fast-track funding at the concept level — where engineers and scientists can jump on newer technologies by focusing seed money on testing their concepts. Bogging ICOs down with regulatory laws will both slow down legitimate POC innovation in the U.S. and give other countries a competitive edge.

Another barrier to cyberdefense POC funding is the size and technological control of a handful of tech companies. Google, Facebook, Amazon, Microsoft and Apple have become enormous concentrations of wealth and data, drawing the attention of economists and academics who warn they're growing too powerful. Now as big as major American cities, these companies are mega centers of both money and technology. They are so large and control so much of the market that many are beginning to view them as in violation of the Sherman Antitrust Act. So how can small startups compete with these tech giants and potentially fund POCs in areas such as cyberdefense and AI? By aligning with giant companies in industries that have the most need for cyberdefense and AI technologies: critical infrastructure.

BIG COMPETITION FROM BIG PLAYERS

The industries that are most vulnerable and could cause the most devastation if hacked are those involved in critical infrastructure. These large industries have the resources to fund cyberdefense technologies at the concept level — and they would obtain superior cyberdefense technologies in doing so.

Cyberattacks to critical infrastructure could devastate entire country economies and must be protected by the most advanced cyberdefense. Quantum computing and artificial intelligence will initiate game-changing technology in both cyberdefense and the new intellectual property deriving from quantum sciences. Entering these new technologies at the POC level is like being a Microsoft or Google years ago. Funding the development of these new technologies in cyberdefense and AI are needed soon — but what about today?

Future quantum computer capabilities will also demand immediate short-term fixes in current cyberdefense and AI. New quantum-ready compressed encryption and cyberdefense deep learning AI must be funded and tested now at the concept level. The power grid, oil and gas, and even existing telecoms are perfect targets for this funding and development. Investing today would offer current cyberdefense and business intelligence protection while creating new profit centers in the licensing and sale of these leading-edge technologies. This is true for many other industries, all differing in their approach and requiring specialized cyberdefense capabilities and new intelligence gathering that will shape their future.

So we must find creative ways of rapidly funding cyberdefense technologies at the conceptual level. If this is what hackers do and it's why they're always one step ahead, shouldn't we work to surpass them?

Cybersecurity Industry Must Adopt Cyberdefense Tech that Utilizes Analytics, Artificial Intelligence

The cyberdefense industry needs to quit playing catch-up and having a reactionary approach to cybersecurity. So what is this industry doing wrong, and how can we change it?

BY LARRY KARISNY / MARCH 30, 2017

SHUTTERSTOCK/TITIMA ONGKANTONG

We must recognize that our cyberdefense technologies are not working and will not work. Cases in point: Our most sensitive cyberoffense technologies have been hacked; power companies admit they would have great difficulty stopping a cyberattack and are being asked to be prepared to operate at much less than full capacity under a cyberattack; 70 percent of oil and gas companies have been attacked — and the threat is growing.

The cybersecurity industry is in chaos and needs to move toward new technologies — cyberdefense technologies that are beginning to leverage analytics, machine learning and artificial intelligence (AI). Hackers are taking advantage of the same technologies, so the cyberdefense industry needs to jump on board. Let's quit playing catch-up and instead take a proactive approach to cybersecurity.

So what is this industry doing wrong, and how can we change it?

CYBERSECURITY 101

One of the core principles in cybersecurity is to establish a baseline of what the operational and industrial system is doing. Once this is done, you can:

• define your security policies;
• evaluate the risk;
• look at security technologies that could reduce the risk;
• evaluate the potential threat impact cost verses the cost of the security technology;
• get management approval; and then
• deploy the security technology. 

Sounds simple, right? Not so. 

We have layered so much hardware, network and software on top of each other that we truly can't see what our systems are doing. And if we can't see what our systems are doing, how can we establish a system baseline of what is normal in daily system operations? The fact is that we can't see it, which is not a good start to one of the most basic principles of security. This must change.

DEHUMANIZING OUR MACHINE SYSTEMS

Conventional cybersecurity generally points everything to the human first while the system's machine actions are doing most of the operational and industrial processes. As metadata grows, it becomes increasingly difficult to manage and understand. Even the best analytic algorithms can't keep up and are themselves subject to error. 

Human error is the major reasons for cyberbreaches, and we are pointing increasing complex systems toward people who can neither see nor understand what the systems are doing; it is a dangerous scenario to continually disconnect the human from massively automated systems that run without audit. Hackers know this, and they will continually exploit these systems until new technologies can deeply and consistently view and audit our operational baseline.    

People need to be able to see with deep inspection the structured and unstructured data that run the systems. Without this being done first, a true operations and security baseline cannot be established, leaving the system exposure to cyberattacks. AI, machine learning and analytics can assist in the viewing of this data, but exponentially increases the amount of structured and unstructured data that must be secured. These approaches also create vulnerabilities because they layer additional algorithms and software over critical data and systems actuaries. This gives hackers a targeted system exploit capability that could allow a complete hijacking of system processes. This is being done while humans are continually being removed from our system processes.

CYBERDEFENSE GOING IN THE WRONG DIRECTION

Industry experts are warning of the use and abuse of AI and its use in both cyberdefense and hacking. 

As Sean Carroll, a cosmology and physics professor at the California Institute of Technology told Vox.com, "It is absolutely right to think very carefully and thoroughly about what those consequences might be, and how we might guard against them, without preventing real progress on improved artificial intelligence."

And Nick Bostrom, director of the Future of Humanity Institute at Oxford University, also told Vox.com that “the transition to machine superintelligence is a very grave matter, and we should take seriously the possibility that things could go radically wrong. This should motivate having some top talent in mathematics and computer science research the problems of AI safety and AI control.”

Even the newest neural network technologies that Google is using — the basis of its DeepMind Artificial Intelligence technologies — can be hacked. The reason is that we're using existing technologies to learn what our systems are doing, so we are essentially adding points of offensive exploit to cyberdefense technologies that are supposed to reduce the attack vector. The cybersecurity industry is, in essence, going in the wrong direction. 

A good example of this is tech giants buying up AI cybersecurity startups. This is being done while the DARPA Cyber Grand Challenge demonstrated how AI could hack into AI. Machine learning and AI connect to a very sensitive part of operational and industrial control systems. That’s how it learns. Hackers can use AI to watch what AI is doing, which in turn can offer total control of the machine systems. All third- and fourth-Generation programing language (code) can be hacked, period. We must find a migration path to codeless fifth-generation programing language (5GL) that uses codeless signature patterns.

THE DEMAND FOR NEW CYBERDEFENSE TECHNOLOGIES THAT WORK

I have discussed the use of 5GL in previous articles and spoke about the technology at Oak Ridge National Laboratory. I clearly discussed how we need to use 5GL codeless patterns in parallel with existing operational and industrial system technologies. This use of 5G in cybersecurity as a system auditing tool could be the much-needed answer to new cyberdefense technologies.

A company called On Point Cyber has been watching the development of these 5GL technologies for years, and CEO Tom Boyle said he thinks the timing is right for 5GL.

"Disruptive technologies must have a migration path back to existing technologies and forward to newer technologies. To achieve this, we first index all the current structured and unstructured data, then run them in parallel to the new 5GL codeless signature pattern technologies," he said "This offers a real-time deep inspection of the operational system security baseline and the immediate detection of anything not part of that baseline. 

Boyle also noted that what's great about 5GL technology is that it can be used without changing any of the current operational and industrial system technologies.

"These newer technologies can then offer older technologies a migration path to code vs. codeless signature pattern technologies that could even be used in the Quantum computer," he added. "The use of 5GL in cyberdefense could prove the most important use of this technology today. Clearly, we need to do something different.”

CYBERDEFENSE PUBLIC-PRIVATE PARTNERSHIPS

We are entering dangerous times in cybersecurity, and both the public and private sectors must recognize the urgency in finding an industry correction. Immediately invest in cybersecurity technologies that offer more than calculated risk remediation. We are throwing things on the wall that could potentially put our cyberdefense technologies in greater danger. We need to find solutions that stop cyberattacks. 

In the confusion of pretty words and explanations of cyberdefense technologies, government officials and CEOs are asking the simple question, "Can I invest in cyberdefense technologies that work?" It is time to answer that question with the recognition that we need to move on to entirely new technologies that can secure us today and prepare us for the future.