What keeps cybersecurity experts up at night?

Christian Science Monitor, March 27, 2017 – Securing elections from hackers. The spread of connected devices. Nation-state attacks. The lack of cybersecurity talent.
These were some of the pressing cybersecurity challenges that keep Passcode’s group of security and privacy experts up at night.
Passcode’s Influencers Poll regularly surveys 160 high-profile experts from across government, industry, and the advocacy community. For one last poll before Passcode shuts down, we asked an open-ended question: What’s the most urgent cybersecurity or privacy challenge right now, and what’s one way to fix it?
What do you think? VOTE in the public version of the poll.
Several Influencers were concerned about the impending explosive growth in the sheer number of devices connected to the internet. “Whether one calls them embedded systems, or the ’Internet of Things,’ the combination of these little computers, poor security design, and upcoming high-speed wireless networks are a perfect storm of sorts that holds the potential to make all of our current cybersecurity concerns worse, more persistent, and of much larger scale,” says Bob Stratton, a serial security entrepreneur, investor, and consultant.
In order to combat this, Mr. Stratton says, “we as consumers, investors, and regulators all have to make clear our insistence upon products (of all kinds) that have at least some basic modicum of system integrity and resistance to compromise built in at the time of manufacture. Not every connected light bulb has to have the same security features as a desktop computer, but it is reasonable to expect that ours will only obey commands from the proper controllers and at a bare minimum, that these little devices do not provide a foothold for an attacker trying to gain access to the rest of our home and business networks.”
To that end, the No. 1 challenge for Dan Kaminsky, cofounder and chief scientist at White Ops security firm, is making secure development of products “faster, better, and most importantly, cheaper.”
“Astonishing things can be built on a solid foundation. They can also be built on quicksand, but they won’t last very long,” he says. “We need to escape the false dichotomy between quickly developed crud and monoliths of perfection. It needs to be relatively easy and straightforward to build and operate secure systems. A lot of that is going to involve actually studying what developers want and need, and giving them tools that maintain and retain security as a first class feature.”
Dan Geer, chief information security officer for In-Q-Tel, a not-for-profit investment firm that works to invest in technology that supports the missions of the intelligence community, took a big picture approach in his answer: The most urgent issue, he says, is people’s overall dependence on technology. “The more people use something, the more it is depended upon. Because the wellspring of risk is dependence, risk is therefore proportional to adoption. We call that on which we most depend critical infrastructures. Because dependence is transitive, so is risk,” Mr. Geer says.
“That you may not yourself depend on something directly does not mean that you do not depend on it indirectly. Interdependence within society is today absolutely centered on the Internet beyond all other dependencies excepting climate, and the Internet has a time constant five orders of magnitude smaller. The complexity of our problem is therefore unacknowledged correlated risk and the unacknowledged correlated risk of cyberspace is why cyberspace is capable of black swan behavior.”
To address this, Mr. Geer says there’s no single bullet. “Bring a revolver,” he quips, advocating for “disconnected operation for critical infrastructures, stress testing for entities too connected to fail, public seizure of abandoned codebases, mandatory cyber-event sharing above some threshold of seriousness” and to “geocode the internet, just as cellphones are.”
Other experts pointed to broader privacy challenges as consumers put more and more personal information online. Jenny Durkan, global chair of the Cyber Law and Privacy Group at Quinn Emanuel law firm, points to “gross and unnecessary overcollection of personal information” as her major concern – especially because it’s not adequately protected by the companies that collect it, and consumers have “no realistic way” to control how their personal data spreads online.