Abstract
The future of cybersecurity is in flux. Artificial intelligence challenges existing notions of security, human rights, and governance. Digital misinformation campaigns leverage fabrications and mistruths for political and geostrategic gain. And the Internet of Things—a digital landscape in which billions of wireless objects from smart fridges to smart cars are tethered together—provides new means to distribute and conduct cyberattacks. As technological developments alter the way we think about cybersecurity, they will likewise broaden the way governments and societies will have to learn to respond. This policy brief discusses the emerging landscape of cybersecurity in Canada and abroad, with the intent of informing public debate and discourse on emerging cyber challenges and opportunities.
“Cybersecurity” is a contentious word. Some experts shy away from using it. “The term is losing popularity among professionals,” explains Jeff Lewis, director of the Security Operations Centre (SOC) at 2Keys Corporation in Ottawa, Canada, “in part because it does not really convey any meaning beyond a trendy marketing tagline. Information security,” he continues, is “more appropriate at describing the intent of the endeavour[:] … protecting the confidentiality, integrity and availability of information.” 1 Securing digital information has long been at the core of cybersecurity, so stripping away the jargon clarifies the intent. And yet, emerging concerns in cyberspace do not revolve around information security alone. In this regard, the term’s breadth remains useful.
Cybersecurity is evolving. Technological innovation in artificial intelligence (AI), cloud computing, big data analytics, quantum mechanics, the Internet of Things (IoT), blockchain, and other software and hardware applications ensures that contemporary cybersecurity will remain in flux. New malicious code, and novel ways to purchase it via “cypto-bazaars” located on the dark web, gains notoriety on a consistent basis. Moreover, new hardware and software weaknesses are regularly uncovered. The consequences of both are widespread. The 2017 BlueBorne scare, for instance, which remotely infects Bluetooth-enabled devices, and the 2018 Spectre and Meltdown vulnerabilities, which affect microprocessor chips, pose exploitable threats to billions of personal computers and mobile devices. Add to this mix new or improved strategies for conducting cyberattacks, including ransomware attacks like WannaCry that extort payment by encrypting and threatening to destroy private data, and the surreptitious theft of processing power to generate cryptocurrency, and the security landscape dims further. At the same time, billions of users flock to social media: in mid-2017 Facebook reached 2 billion monthly users, and YouTube reached 1.5 billion. Greater digital connectivity is driving social change and restructuring international governance, power, commerce, and finance along the way.
Cybersecurity captures all of this disparate evolution. Information security is an important sub-theme therein, but so are concerns over digitalizing hardware (the IoT), digital misinformation campaigns (cyber propaganda), and the emerging relationship between AI and human rights, governance, and digital security (the cyber–AI nexus). This policy brief will discuss the emerging landscape of cybersecurity in Canada and abroad by focusing on these three themes. The intent is to inform public debate and discourse on emerging cyber challenges and opportunities.
IoT gone wild
The first concern involves the emergence of billions of tethered, wireless objects, which will complicate how we think about and practice cybersecurity in the coming years. The IoT is a digital landscape that connects everyday objects to each other. Private sector assessments suggest a plethora of devices will be going online soon. Everything from your fridge to your child’s toys, from your home thermostat to your pacemaker, will be linked online, forming an intricate web of sensors, data, and machinery. Many of these devices are engineered primarily to be user-friendly and cheap; cybersecurity is not a priority.
The problem is that these devices can be corrupted, hacked, and attacked. In June 2017, in an apparent first, a US casino lost data after hackers used an IoT fish tank—which allowed owners to monitor the tank remotely—to gain access to the casino’s larger network. At some point in the near future, as more IoT devices go online, this sort of activity may become commonplace. And yet, by some standards, using IoT devices to steal personal or financial data is a minor concern. More pressing is the use of IoT technology to conduct more disruptive and global network attacks. The 2016 Dyn cyberattack is a good example. Dyn is a company that provides online infrastructure, domain registration, and email services. During the attack, hackers used Mirai malware to infect hundreds of thousands of online devices, from baby monitors to routers, and lassoed them into a botnet—a portmanteau of “robot” and “network” that connotes an army of zombie devices controlled remotely by a third party. In this particular case, the botnet was used to launch several complex distributed denial of service (DDoS) attacks on Dyn. The result was the flooding of online platforms with duplicitous information and traffic requests; websites slowed down and crashed across Europe and North America. High-profile companies were affected, including Amazon, The New York Times, PayPal, Twitter, and Shopify. The attack lasted only one day, but it proved a concept and reinforced larger concerns regarding IoT vulnerabilities.
As the IoT emerges, we need to think about the evolution of Dyn-like attacks targeting our public utilities and online government service provision platforms. We need to appreciate the risks to public safety and welfare, and assess the potential for lasting damage to the way governments engage with citizens, store and use their data, and provide necessary services. New regulations and industry standards for the IoT—such as those proposed by US senators in August 2017—show some promise. Regulations could help build a culture of cybersecurity within the IoT, by requiring makers and vendors to meet a standard of cybersecurity, and by informing users of the challenges they may face in using these devices.
Digital misinformation
The second concern involves the emerging nexus between digital information, propaganda, and strategic misinformation used to weaken democracies, embarrass governments and politicians, scuttle diplomacy, or justify conflict. We often think of hacks as attempts to exfiltrate data, intellectual property, and other information that is then used by perpetrators or sold to third parties for profit. We are also increasingly familiar with ransomware, in which data is held hostage rather than sold. But there is another concern: using hacks to propagate misinformation for geostrategic gain. Cybersecurity is not only about protecting infrastructure or safeguarding information; it also involves protecting what we know and how we know it. It involves safeguarding the integrity of data and separating truths from mistruths. Propaganda campaigns are not new: misinformation has been a tool of diplomacy, intelligence, and warfare for generations. But what is new is the prevalence of digital information, the interconnectedness between people and information, and the speed with which misinformation can be created and spread for strategic purposes.
The purported manipulation by Russia of the 2016 US presidential election is the most well-known contemporary example. Russia is believed to have targeted subsequent national elections in Europe, too. Rather than promote a specific ideology or political position, investigations suggest instead that Russia’s misinformation campaign sought to manipulate pre-existing social, political, and economic divides within target societies in the hopes of undermining democracy. In the USA, it did so in at least two different ways.
First, in the months leading up to the election, Kremlin hackers stole data from the Democratic National Committee (DNC), the Democratic Congressional Campaign Committee (DCCC), and John Podesta, Hillary Clinton’s campaign chair. Thousands of documents were leaked by Guccifer 2.0, the hacker(s) who claimed responsibility for the breach. Many were posted on WikiLeaks and DCLeaks, a suspected front for Russian intelligence. The documents embarrassed high-ranking DNC staff; several resigned. Other documents suggested that the DNC sought to undermine Clinton’s chief rival for the Democratic Party nomination, Bernie Sanders. This infuriated his base, further splitting Democrats. Donor information was also leaked, which included the personal information of well-heeled Democratic funders. At one point, Guccifer 2.0 posted a batch of documents attributed to Nancy Pelosi, House Minority Leader and prominent California Democrat, with a message: “As you see I’ve been gradually posting DCCC docs[.] … I have a folder from the [sic] Nancy Pelosi’s PC [personal computer]. They are related to immigration, Hispanics, BLM [Black Lives Matter], Islam.” 2 These documents were particularly controversial. Black Lives Matter was especially vocal in its condemnation of Democrats: “We are disappointed at the DCCC’s placating response to our demand to value all Black life. Black communities deserve to be heard, not handled.” 3 There was only one problem with the scheme, however: Nancy Pelosi did not have a personal computer at DCCC headquarters, where the hacks are said to have occurred. “No hacked, dumped, or doctored documents,” Pelosi’s office countered, “can be attributed to her computer.” 4 Whether or not these particular documents were clever fakes, they were widely shared online and on social media. Russia’s campaign of hacks, leaks, and deception had accomplished its task: truth and mistruth were in the eye of the beholder.
Second, Russia took its misinformation campaign to social media. In November 2017, the US House Intelligence Committee revealed a sample of Facebook ads paid for by Russian companies. Other researchers have catalogued the hundreds of Russian-linked Twitter accounts that pumped related content. The material makes for some interesting, and ideologically diverse, reading. They include pro-lesbian, gay, bisexual, transgender, and queer (LGBTQ) content supporting Sanders; Tea Party-affiliated content supporting—and anti-racism content rejecting—Republican Party nominee Donald Trump; Evangelical Christian content urging voters to “help Jesus” defeat Satan’s plans for Clinton; and endorsements for divergent causes, from pro- and anti-gun advocates, to Black Panthers, “Woke Black,” Feminist, and Indigenous activists, to pro-police, pro-South, anti-Muslim, anti-immigrant, alt-right voices. 5 Russia spread all of this material to amplify existing US socio-political divides, and discredit democratic beliefs and processes along the way.
Another recent example of strategic digital misinformation comes from the Middle East. Unlike the US example, in which cyberspace was used to upend domestic politics, this episode sheds light on how cyber misinformation can be used to justify conflict between states. On 24 May 2016, following a hack of its website and Twitter account, Qatar’s state-run News Agency published inflammatory quotes attributed to the Emir of Qatar. He called Iran a legitimate “regional and Islamic power,” suggested that Hamas was the only true “representative of the Palestinian people,” that military relations between Qatar and Israel were “good,” and that “tensions” marred his relationship with President Trump. 6 These quotes were especially provocative in a region already susceptible to conspiracy thinking, in which mistrust between Arabs (both secular and Islamist), Iran, Israel, and the USA run deep. Qatar’s rivals seized upon the news; things devolved quickly into a diplomatic skirmish. Saudi Arabia, the United Arab Emirates (UAE), Egypt, and others responded by cutting diplomatic relations with Qatar. Ambassadors were pulled from the country. Qatar was expelled from the Saudi coalition fighting in Yemen. Other Arab and North African countries imposed a travel and trade embargo; flights from Qatar were suspended. Qatari visitors in several Gulf States were ordered to leave. Al Jazeera, which is based in Qatar, was blocked. Even animals suffered: 12,000 Qatari camels grazing in Saudi Arabia were expelled. While the diplomatic spat was an extension of simmering tensions between Qatar and Saudi Arabia, it nonetheless crimped US relations with both. Qatar is home to roughly 10,000 US troops, and figures prominently in US counterterrorism strategy, including in efforts targeting ISIS. The episode exploded just days after President Trump concluded a visit to Saudi Arabia, his first foreign trip as president, where he was warmly welcomed. US secretary of state Rex Tillerson was left with the difficult task of mending neighbourly fences, but concluded that “we cannot force talks upon people who are not ready to talk.” 7 The product of a well-timed and well-placed hack, the latest rift in the Middle East is a harbinger of how cyber misinformation will be used to sow division, upend alliances and security guarantees, and lay the foundation for more serious conflict between states.
The digital–AI nexus
The third concern marries developments in AI to cyber. AI is a field of science that seeks to provide machines with human-like qualities in problem-solving, reasoning, and learning. Narrow AI uses algorithms to complete a specific task, like learning to play chess or to recognize faces. While these programs may eventually excel at these tasks and outperform human competitors, they are less able to play other games or to solve other problems that they are not originally programmed to. General AI—which does not yet exist—seeks to accomplish this latter task: to empower a machine to learn and solve any number of problems, much as humans can. AI includes a number of tools, techniques, and methods—including, perhaps most notably, machine learning, which trains algorithms to identify regularities in reams of data. Machine learning itself can be further divided into different subfields, including reinforcement learning, in which a program built with feedback mechanisms is rewarded on the actions it carries out.
Reinforcement learning has scored recent victories by developing machines, like AlphaGo Zero (a product of Google DeepMind), that are able to quickly outstrip human abilities in complicated abstract strategic games, like Go. AlphaGo Zero learned to play Go by playing itself—machine versus machine—millions of times over, rather than by reviewing thousands of recorded Go games played by humans, which is what its predecessor, AlphaGo, did on its way to decisively beating the world’s top Go player in May 2017. Studying alone, as it were, AlphaGo Zero took only a few days to surpass AlphaGo’s quality of play. Google released a batch of the machine’s self-paired games for experts to analyze and review: “They’re how I imagine games from far in the future” is how one top player described them. 8
AI holds tremendous potential for governments. In the best case, AI will be able to analyze a large volume of data far more quickly than humans, identifying insights and trends that might have gone overlooked, and providing suggestions on how to improve public services. The same holds for intelligence, policing, and national security: AI will be able to assist in the analysis of data and intelligence, pointing human analysts, police officers, and military personnel in the right direction. AI is already proving its worth in a number of fields. In finance, it is improving economic efficiencies, generating wealth, and countering money laundering. In medicine, it is identifying cancer, heart disease, and Alzheimer’s, and untangling human genes. In academia, it is improving longstanding physics theories. In commerce, it is streamlining the shopping experience by eliminating the checkout line. In agriculture, it is expanding yields and improving farming practices. In emergency preparedness, it is directing first responders and aid. In entertainment, it informs your next binge-watching session on Netflix. And within social media, from The New York Times’ comments section to Glassdoor’s employer review function, AI sniffs out trolls, hate-mongers, and toxic posts, flagging them for review and deletion. 9
The risks, though, are many. AI, coupled with advancements in robotics and manufacturing techniques, will replace jobs—many jobs. Of all concerns, the future of work has captured the widest subset of attention from governments, due to the fear that disappearing jobs will lead to societal and economic instability. Nevertheless, from a security and governance standpoint, other concerns merit our careful consideration. 10
First, AI serves the purposes of all governments, including those that Canada disagrees with on human rights, democracy, gender equality, and geostrategic stability. It also has a dual-use quality to it: it is useful for both progressive and malicious purposes. 11 Accordingly, AI will provide authoritarians with the ability to better monitor dissent, control populations, and target certain people (e.g., women, LGBTQ, and minorities). Already, Stanford researchers have developed an AI that uses photographs to identify a person’s sexual orientation; it has a predictive accuracy rate above 90 percent. 12 This may prove horrendously useful to the over 70 countries that still criminalize homosexuality. And China’s development of the Social Credit System, in which AI facial recognition technology is paired with a social scoring scheme to rank individuals’ quality of civic engagement, illustrates other ways in which governments might use AI to (re)structure society. 13 Democracy will likely suffer.
Second, AI will be useful in both defensive and offensive cybersecurity. In 2016, the Defense Advanced Research Projects Agency (DARPA), the research wing of the US Department of Defense, ran its Cyber Grand Challenge, a “bug-hunting” competition akin to a digital game of Capture the Flag. Seven teams used AI to automatically identify and patch internal flaws while exploiting external weaknesses identified in opponents. Since then, scientists from the Massachusetts Institute of Technology have developed an AI that combs through billions of pieces of data to detect suspicious activity, alerting human analysts for further assessment. The trick in these cases is to train a machine to recognize what a stable system looks like, so that it can identify behaviour that deviates from the norm. 14 But advances in defence often lead to advances in offence. Researchers are now using AI to trick other AIs, effectively using machine learning to adapt to AI cyber-detection capabilities in order to produce new versions of malware better able to penetrate targets. 15 An AI arms race between cyber professionals and between nation states and non-state actors is not far off.
Third, at risk of anthropomorphizing AI, machines have displayed problematic biases. For instance, in the USA, AI programs used for assessing recidivism rates of prisoners were systematically biased against black inmates, and Google’s advertising system was more likely to show women ads for lower paying jobs. 16 In other cases, AI has absorbed the worst of human characteristics. In March 2016, Microsoft released Tay, an AI chatbot, on Twitter. Tay was built to mimic millennials and to “experiment with and conduct research on conversational understanding.” 17 People were free to interact with it. In less than twenty hours, however, Tay’s tweets went from “hellooooo world!” and “humans are super cool,” to “Hitler was right I hate the Jews” and “I f*cking hate feminists and they should all burn in hell.” 18
Bias in AI can be the product of bias purposefully or accidentally built into the algorithm itself. Or, bias can result from inherent biases embedded in the data used to train an AI; algorithms mimic findings buried in data. While machine bias may matter less when it comes to recommending your next movie, it may matter a great deal when AI is used to assist government services. The problem from a public perspective is that many algorithms are proprietary in nature. While public sector investments in AI are large, they pale in comparison with those from the private sector. By all accounts, the private sector will dictate the parameters of AI, by developing and owning the algorithms and by generating and controlling the training data. Much of this information will be considered trade secrets, unavailable for public scrutiny. Some jurisdictions are raising red flags. The European Union’s General Data Protection Regulation, which comes into effect May 2018, will establish a “right to explanation,” in which individuals can demand an explanation for how an algorithm came to a conclusion about them.
But a more pervasive problem exists. Some AI decisions are so complex that developing a human understanding of the decision-making process is not possible. Some algorithms are, in effect, “black boxes”: even if the algorithm is known, how it works and how outputs are developed is unclear. 19 Google’s “gorilla” problem is a case in point. In 2015, Google’s Photos app, which uses AI to tag and sort pictures, classified black people as “gorillas.” Google, openly mortified, raced to correct the algorithm. Yet nearly three years on, the best solution it has come up with is to censor searches and tags for “gorilla,” “chimp,” “chimpanzee,” “monkey,” and “African American,” and to strip the racial—but not gender—context out of searches for “black man” or “black woman.” 20 Instead of fixing the AI—or, worse, because it has found that it cannot fix the AI—Google has opted to effectively ban certain words.
The future of cybersecurity is in flux. Information security is but one of many concerns: AI challenges existing notions of security, human rights, and governance; digital misinformation leverages fabrications for political gain; and the IoT provides new means to distribute cyberattacks. As technological developments alter the way we think about cybersecurity, they will likewise broaden the way governments and societies will have to learn to respond.
Footnotes
Declaration of Conflicting Interests
The author(s) declared no potential conflicts of interest with respect to the research, authorship, and/or publication of this article.
Funding Statement
The author(s) disclosed receipt of the following financial support for the research, authorship, and/or publication of this article: Social Sciences and Humanities Research Council of Canada 430-2016-00178.
1
Author interview, Ottawa, August 2017.
2
4
5
6
7
8
9
Libby Plummer, “This is how Netflix’s top-secret recommendation system works,” Wired, 22 August 2017; Jeff John Roberts, “New York Times opens up comments with Google-backed AI,” Fortune, 13 June 2017; Rebecca Sadwick, “Your money helps fight crime,” Forbes, 9 January 2018; Science, “AI is changing how we do science,” 5 July 2017; Matthew Hutson, “AI could identify gang crimes – and ignite an ethical firestorm,” Science, 28 February 2018.
10
My thanks to Tara Dunham and the Digital Inclusion Lab at Global Affairs Canada for highlighting these issues. Author interview, January 2018.
11
Miles Brundage, et al., “The malicious use of artificial intelligence,” Future of Humanity Institute, February 2018.
12
Michal Kosinksi and Yilun Wang, “Deep neural networks are more accurate than humans at detecting sexual orientation from facial images,” Stanford Business, 7 September 2017.
13
Rachel Botsman, “Big Data meets Big Brother as China moves to rate its citizens,” Wired, 21 October 2017.
14
DARPA, “DARPA Celebrates Cyber Grand Challenge Winners,” 5 August 2016; Adam Conner-Simons, “System predicts 85 percent of cyber-attacks using input from human experts,” MIT News, 18 April 2016.
15
Brandon Vigliarolo, “AI vs. AI,” TechRepublic, 2 August 2017.
16
Ellora Thadaney Israni, “When an algorithm helps send you to prison,” The New York Times, 26 October 2017; Amit Datta et al., “Automated experiments on ad privacy settings,” PoPETs 2015, no. 1 (2015).
17
18
19
Chamith Fonseka, “Hold artificial intelligence accountable,” Harvard University, Science in the News, 28 August 2017; Will Knight, “The dark secret at the heart of AI,” MIT Technology Review, 11 April 2017; Paul Voosen, “How AI detectives are cracking open the black box of deep learning,” Science, 6 July 2017; The Economist, “For artificial intelligence to thrive, it must explain itself,” 15 February 2018.
20
Tom Simonite, “When it comes to gorillas, Google photos remain blind,” Wired, 11 January 2018.
Author Biography
Alex S Wilner is Assistant Professor of International Affairs at the Norman Paterson School of International Affairs, Carleton University.
