Real vs. Perceived Security
In the 1984 film, The Terminator, an artificial intelligence system called “Skynet”, built for the US Defense Department, decides that all humans are a threat to security and launches a nuclear war that eliminates most of humanity. The hero of the movie, John Connor, led a resistance that successfully overcame Skynet’s defenses, an action which causes Skynet to send a robot back in time to kill him before he could succeed later in time.
Often talk of smart devices and cognitive clouds gives way to worries about fictional computer systems deciding that humans must be eliminated. To be fair, the Internet of Things greatly increases the overall number of places that a system can be penetrated, which calls for greatly increased security diligence at every point in the design. However, knowing which security issue to address and which to ignore requires us to separate those which are perceived risks from those which are real. Real security issues can be addressed with specific solutions, whereas perceived security issues cannot be addressed with any amount of technology.
For example, let’s say you went online to order a product from a website. After clicking through to the final screen, you’re asked to type in your credit card number, along with your billing address, expiration date of the card, and the small additional three- or four-digit code on the front or back. As you type, you feel a growing sense of uneasiness about the information you’re sharing. You pause and check again to make sure the site is encrypted. You might even consider cancelling your order and going to a store instead for the item. In the end, you conclude that the site is probably secure, and the worst thing that could happen is you’d have to obtain a new credit card if your information were mishandled.
Once the order is complete, your queasiness turns into hunger, so you drop into the driver’s seat of your car and head to a restaurant. You place an order for lunch with the waiter, and when done, he presents you with a check. In many parts of the world, the proper protocol is to tuck a credit card into the folio and hand it back to the waiter. A short time later he dutifully reappears and takes the folio, the check, and your credit card and disappears.
With your credit card. With all the numbers on the back and front. With your signature. For perhaps five minutes or more.
And yet, you think nothing of this. Totally, normal, and quite calmly you wait for your card to be returned. What is explanation for the radical difference in your feelings between placing an order online and giving over your credit card willingly to a stranger?
The answer is simple: humans cannot trust computers, at least not yet. In that fleeting moment, as simple as it might be, you develop an inter-human bond of trust between yourself and the waiter. So much so this is true, that if you receive an errant charge on your credit card statement, your mind will immediately leap to the waiter, not the website. Your brain, wired by centuries of human experiences, immediately assumes that the waiter betrayed you.
Which of these two experiences is riskier? Handing over your credit card to the waiter, by far. But which of these do you perceive as riskier? Typing your credit card into the website. While the real security risks lie with the waiter, you perceive the security risks as exactly the opposite. Technological solutions exist to encrypt and shield your credit card from the second it’s typed into your keyboard, quite literally forever, but no amount of technology can keep a waiter from copying down your credit card information and using it later that night for a night on the town.
Thus, separating real security risks from perceived ones is key to addressing the security challenges of the Internet of Things. You must first be able to know what is solvable technologically vs. what is simply a human perception issue, and attack those issues that can be resolved with fervor and deliberate action.
As another example, consider the Transportation Safety Administration in the United States. There is an entire branch of the public safety service now in America who’s only function is to attempt to cover off on a perceived security risk vs. a real one.
Don’t believe me? Does anyone with knowledge of the topic believe that a determined terrorist couldn’t smuggle enough plastic explosive or other chemical compounds onto a plane to blow it up, despite all of the metal detectors and body scanners? What is the best way to protect you from a gun-toting passenger?
The answer, quite counter-intuitively, is to arm everyone. If all, or most, of the passengers on a plane were carrying a loaded weapon, no gunman determined to hijack a plane would get more than a foot from his seat still alive. In reality, the best way to protect the flying public is to do away with metal detectors and make sure everyone who has a gun permit carries their weapon aboard! Though that’s unlikely to be adopted as a general policy anytime soon, it does illustrate the difference between actions that counter-act real security threats vs. actions we take simply to feel more secure.
