The 5 Security Imperatives The Trump Administration Faces
(Above: Donald Trump on the campaign trail in Gettysburg. © Georgesheldon | Dreamstime.com)
In a rapidly evolving, technology-driven environment, where the IoT is a way of life, the incoming administration faces a number of new challenges, especially from a security perspective. Here are 5 major issues that would need to be tackled.
By Wyly Wade
I. Linking The Physical To The Digital, Using Some Form Of Biometric ID In The United States
Why is this necessary?
In a connected world, where digital meets physical on a constant basis, and cyber-physical systems abound, we’ve got to be able to confirm that someone is who they say they are, both in the physical world and the virtual one.
Whether it’s Customs and Border Protection, or the U.S. military, we’re starting to see some sort of biometric identity requirement being either made available for use, or required. In the case of military, a manual even details the operational use of biometrics across branches, for purposes of checking identification, and confirming you are who you say you are in order to prevent the misuse of things like physical access cards to get you into sensitive facilities.
According to the manual: “Integrating biometrics capabilities enables commanders to focus on joint and combined operations by helping to identify adversaries, allies, and neutral persons while degrading threat networks. Operators currently collect facial images, fingerprints, iris images, deoxyribonucleic acid (DNA) samples, palm prints, voice samples and associated contextual data (i.e. elements of biographic data and situational information) from individuals encountered during operations.”
At the civilian level, programs like TSA Pre✓®, CLEAR, and others are essentially trying to do the same — trying to create purpose-built IDs that they try and expand out, to establish you are who you say you are, and make the process quick and effective.
How would we do it?
There’s a general understanding at various levels of the government that sooner or later, they would have to put in place and accept some sort of biometrics-based applicable national identity system. What that could be is up in the air — but the logical step would be a truly authenticated driver’s license at the state level, which you then sync at the back end through data sharing and a data clearing house.
What the government would almost certainly have to do is pass a REAL ID II of some sort, take REAL ID’s basis — the post 9/11 commission review concept that established minimum security standards for state-issued driver’s licenses — and essentially add biometrics to it. What it would do is ensure there’s deduplication of that data across states in some kind of decentralized way, so we still maintain the sovereignty of our states.
II: Create A Process For Using That Data Across Multiple Functions Across The Government
Why is it necessary?
To create a system of accountability, ensure that the right benefits are going to the right person, and avoid the misuse or wastage of resources. This really should be a logical next step after the establishment of a nationally implementable biometrics-driven identity system. We’ve got a lot of data from other countries, which indicates that implementing biometric IDs for social protection programs, for instance, dramatically improves accountability and auditing, drives down corruption, and produces efficacy in those programs.
I’d really think that should be the way ahead, whether you’re allowing access to a nuclear facility, or implementing Medicare and Medicaid payment distributions.
Identity is the basis for receiving access to benefits for a social protection program, regardless of whether it’s for a defined benefits program or some other means of receiving assistance or aid. If you can’t identify the person you’re providing a service or a welfare check to, how do you confirm the check went to the right person?
How would we do it?
You could, for instance, go to an ATM, or you local grocery store or 7/11. But instead of swiping an ATM card, you’d put in an assigned number, or swipe your enhanced license, or scan a barcode on your phone, and then authenticate that by also scanning your fingerprint — that second step is a biometric authentication and there are algorithms that ensure that it is a “live” authentication, that you’re alive.
For now, that fingerprint, in many machines that have biometric readers, matches up to a 12-digit number in the system. In the case of something like a REAL ID II, it would be matched to a fingerprint in the system. This would replace a PIN. For everyone that says it’s not practical, I’d ask you to look at India’s Universal ID system, Aadhaar, which has now enrolled more than one billion people — that’s thrice the population of the U.S. And do remember that this has been made possible in a country where the GDP per capita (accounting for Purchasing Power Parity) is about $6,100/year, as compared to the U.S.’s $56,100. Through Aadhaar, you now have remote, rural villages in India where people’s lives have changed dramatically, because of the ability to access state benefits they previously did not receive for one reason or the other.
III. Updating Our Critical infrastructure, And Securing It, Keeping In Mind It’s Now All Connected
Why Is It necessary?
In a different age, when a lot of our electric grids, highways, dams, transportation systems were being built, each was its own little silo. They weren’t connected in any real sense. In the world we’re hurtling toward, roads will be talking to the street lights, and solar powered cells in the road’s gravel will be charging our autonomous vehicles as they move, the possibilities in our future Smart Cities are endless. You’re already seeing that, we use more and more sensors everyday with traffic lights, intelligent crosswalks, cars that have driverless brake assist systems, or a Smart Grid that allows for two-way communication. It doesn’t make sense looking at spending a trillion dollars on upgrading or updating existing systems, and not keeping in mind that those systems will now be connected in a very fundamental sense, and those connections and networks will feed off each other; that there will be inter-dependability for purposes of functionality.
How would we do it?
By putting in place best practices across critical systems. One of the things we have failed to do is roll out just in time manufacturing at the infrastructure development level. In almost all of our major systems, whether computers or cars, we do some form of just in time or lean manufacturing. With infrastructure, it’s different. For instance, we typically end up having a whole bunch of supplies dumped at one end of a road, and those supplies are then worked into the road or roadbed. We’ve got to be able to create a system of tracking those goods, and requesting them on a need-to basis.
I should also mention how a biometric ID helps here. We’re going to be spending a lot of money. Whenever you have a large influx of cash on projects, you should, especially in a world where technology makes things possible, be able to verify identities and resources, create lists of people on projects, and put in place attribute-based access controls that create an audit trail of who accessed what resource and when. It’s not very hard to get hold of a physical card or key to gain access. It’s far more difficult to duplicate a live biometric identity.
Now for the other security aspect of building connected systems: All the connected or networked systems that talk to each other, or feed off each other, need to be able to communicate back to somewhere, to some kind of command center. This means that all those points are opportunities for attacking the whole, or part of that whole. It doesn’t necessarily have to be a cyber attack, though that is obviously a major focus, it could also be a physical attack — you physically enter a place and then cause disruption to the system virtually from the inside. We have to protect our critical infrastructure.
This also means doing things like large amounts of grid modernization. While the central security lines and the backbone of the power distribution center here in the U.S. is very intelligent, or becoming very intelligent, there is a lot of rural power distribution that isn’t necessarily there as yet. It’s expensive to wire large stretches of areas where there aren’t too many people, and there are places where we still struggle with things like bi-directional power. That is a problem area for interconnected systems, and it needs to be tackled.
IV. Creating A Sustainable Social Protection Policy, Keeping In Mind The Changes Technology Will Bring
Why is it necessary?
Technology brings with it great benefits, but it also brings forth new challenges, and planning for them is absolutely critical. We are entering an age when more and more jobs will become automated. We’re entering an era where we might well be eliminating jobs faster than we create them.
There will be a pivotal point soon, when autonomization will inevitably lead to a form of structural unemployment, a situation in which the demand for labor will be exceeded by the supply of labor. And as many studies have found, a higher rate of unemployment has a direct correlation to higher crime, and therefore, an insecure, more vulnerable economy.
Let’s look at a rather interesting example. We have an unfulfilled job need right now in the United States for about 25,000 for-hire long haul, over road truckers. Given the new air quality standards agreed to, and the shortage of workers or job seekers, the over road trucking industry will likely go through a process of autonomization fairly soon. And this might not be too far away.
In October 2016, a self-driving truck, designed by the Uber-owned company Otto, successfully completed a 120-mile beer run between Fort Collins and Colorado Springs. In September 2016, Uber also launched the first of what it says will be a fleet of self-driven cars in Pittsburgh.
In this great piece by Wired magazine, the author writes that Uber or Otto don’t want to put any drivers out of work, and that the truck currently operate onlys “on the highway, where it doesn’t have to deal with tricky variables like jaywalking pedestrians, four-way stops, or kids on bicycles.”
However, this is already a monumental change. At the same time, according to 2014 data, trucking is the most common job in the United States in 29 states. An estimated 80 percent of all communities in the US rely exclusively on trucks to deliver fuel, clothing, medicine, and other consumer goods, even as trucks move about 70% of the nation’s weight by freight. This makes for a tense future, and one that needs us to plan ahead.
How would we do it?
Over the next four to eight years, we need to set the framework and foundation for how social programs will carry and support a declining number of jobs and a changing job environment, primarily because of the autonomization of processes and jobs, including in manufacturing, the No. 1 employer (by industry), in the U.S. We aren’t Japan, which has a shrinking population. The U.S’s problems are different.
There’s been some experimentation in countries like Canada with a guaranteed basic income. Ontario is introducing a pilot project to see if it could work, and the province of Prince Edward Island just passed a resolution to establish what they call UBI, or Universal Basic Income. We’re going to have to figure out a way to modernize our systems to retrain and repurpose them for periods of unemployment for people. While we have programs that work in silos, we don’t have anything that’s sustainable.
The idea would be that this would replace other forms of welfare assistance, not including healthcare, but while I’m not certain what healthcare policies lie ahead, something like RSBY, the biometric-driven health insurance program India implemented, originally for the bottom two quintiles, would probably be one way.
V. Implementing A National Cybersecurity Mission In Tandem With Physical Security
Why is it necessary?
This goes back to something I’d talked about in October. “There’s No Such Thing As Cyber, If You Don’t Protect The Physical.” It’s as simple as that. As a collective, we are dealing with cybersecurity monolithically, as something that has to be dealt with in isolation, not as part of security as a whole. It’s a problem if we live in these silos. Not just because of the Internet of Things and cyber-physical systems per se, but also because if I, as a hacker on a mission, can walk into your data center, there’s pretty much nothing you can do to stop me getting into your system.
Think of the large scale disruption that would cause to our critical infrastructure, like the power grids, if a criminal, or a foreign power, could gain access. But it’s not just that. As I’d written in June, as technology rapidly changes our world, “we have understood that it’s not just utilities or manufacturing facilities, or military or civilian bases that can be electronically invaded. From smart locks for homes to remote keys for cars, from pre-op pods in hospitals to intelligent buildings and other M2M (machine to machine) technology, as everything in our own lives is customized digitally, how easy would it be for someone to invade your life?” We’ve got to protect the physical as much as the cyber aspect of systems.
How would we do it?
We would need to put in place processes through which we could verify credentials — use biometrics to start with. We would also have to have what are called pinch point admissions, instead of multiple points of entry to a sensitive facility, which would allow credentials to be verified. We would need to validate all vendors, to prevent both the impersonation of a real vendor or the misuse of vendor credentials. We would have to make sure we implement physical access protocols to devices, and finally, any organization dealing with networked systems, especially sensitive data, would need to be able to vet and trust its staff. You’re not going to be able to do much about someone wanting to do mischief on the inside once they’re on the inside and have unfettered access to your systems.
It’s not an overnight process, but we have to try and ensure we’re taking the right path to building a more secure future. And we do not really have the luxury of choice.
(Wyly Wade is CEO of Biometrica Systems, Inc. He was part of the original team that built India’s one billion-plus, biometrics-driven universal identity project, Aadhaar)