Based on a variety of discussions with customers, regulators, and academics, and based on observations, there is a growing need to evaluate and rethink architectures that enhance Cyber Security in digital systems. Given the fast pace with which digital technologies are becoming central to the human daily experience and with the advent of new technologies, it is imperative that the data and the digital infrastructure is protected, no matter where it resides. We must plan and prepare for the future of cyber security while managing current security requirements.
The following observations can be made:
- Digital environments are becoming more complex with varied mechanisms and processes used during data connectivity, data storage, and data processing.
- Data creation and its transmission are exploding in both the enterprise and consumer spaces. Data flow and management is not performed consistently.
- Organizations have many disparate applications and services from many vendors, but dependencies of these applications on each other are not well understood by the organizations.
- Contents of an application or a service are not well understood. Note—contents are also described as Software Bill of Material.
- New technologies, applications, and devices are being introduced every day. More devices are collecting data and more processing is happening around us.
- Modes of data collection, which data is collected, and where it is stored and processed is not widely known. People are left ignorant with confusing consent and notification mechanisms.
- Regulatory changes surrounding privacy such as consent, individual rights, and controls are not integrated in today’s architecture.
- Anticipated changes in current architectures, such as data transmission, may happen on the connectivity channels that could present more security risks.
The increase in cyber security breaches and privacy breaches with today’s architectures result in harm to organizations and individuals. Techniques and solutions to protect the integrity and security of data on during transmission, processing, and storage is critical.
Current architectures have served their purpose and will soon become legacy. At present, we are failing to protect our digital assets. Given the issues and new technologies, we must rethink these architectures to increase our cyber security posture. Data collection, storage, processing, and its flow on networks must be reimagined to arrive at true Zero Trust architectures.
IEEE SA is launching the Cyber Security for Next Generation Connectivity Systems Industry Connections (IC) activity to build a community to discuss cyber security issues and rethink architectures to address critical market needs. IEEE SA proposes five architecture principles or baseline realities that will be used to explore new formations and architectures to create more secure and trusted digital platforms.
Here are some digital trust statistics, courtesy of Trust Over IP Foundation.
- Regular Internet users have an average of 85 passwords for all of their accounts. (Cnet, 2020)
- The most commonly used password in the world remains to be 123456, followed by 123456789, qwerty, password, and 12345. (Cybernews, 2021)
- 80% of all hacking incidents are caused by stolen and reused login information. (Verizon, 2020)
- As of 2020, phishing is by far the most common attack performed by cyber criminals, with the US FBI’s Internet Crime Complaint Center recording more than twice as many incidents of phishing than any other type of computer crime. (FBI Internet Crime Complaint Center, 2021)
- Google has registered 2,145,013 phishing sites as of 17 Jan 2021. This is up from 1,690,000 on 19 Jan 2020 (up 27% over 12 months). (Tessian, 2021)
- There were 1767 publicly reported data breaches in the first six months of 2021, which exposed a total of 18.8 billion records. (Risk Based Security, 2021)
- More than 90% of all healthcare organizations reported at least one security breach in the last three years. Sixty-one percent acknowledged they do not have effective mechanisms to maintain proper cybersecurity. (Frost Radar, 2020).
- In 2020, the average cost of a corporate data breach was $3.86 million. (Dice.com, 2020)
Privacy Erosion and Surveillance Capitalism
- 82% of web traffic contains Google third-party scripts and almost half of them are tracking users. (WhoTracks.Me, 2019)
- 74% of Internet users feel they have no control over the personal information collected on them. (Ponemon Institute, 2020)
- 72% of Americans report feeling that all, almost all, or most of what they do online or while using their cellphone is being tracked by advertisers, technology firms, or other companies. (Pew Research Center, 2019)
Misinformation and Unverified Sources
- In 2020, only 29% of US adults said they mostly trust the news media. (Statista, 2020)
- In Q3 of 2020, there were 1.8 billion fake news engagements on Facebook. (German Marshall Fund, 2020)
- 56% of Facebook users can not recognize fake news when it aligns with their beliefs. (SSRN, 2018)
Artificial Intelligence (AI) Dangers
- 62% of the companies adopting AI are extremely concerned that it will increase their cyber security vulnerabilities; 57% are concerned about the consequences of their AI systems using personal data without consent. (Deloitte, State of AI in the Enterprise, 2020)
- 93% of automation technologists feel unprepared or only partially prepared to tackle the challenges associated with smart machine technologies. (Forrester, 2016)
- The EU has drafted an Artificial Intelligence Act (AIA) specifically addressing transparency, privacy, and security in the use of AI.
- The National Institute of Standards and Technology (NIST) is beginning development of an AI Risk Management Framework (RMF) to guide AI adoption for US federal agencies (where none currently exists).
There are many reasons behind these issues related to user’s control (or lack thereof) of their information, formation of concentrated information islands, inadequate control application, lack of transparency by organizations, lack of ability to self-heal, speed of action (or lack thereof), and new and emergent technology areas.
With this proposal, IEEE SA is making a call for investigation in three areas, with the goal of invoking new thinking and architectures.
Area 1: Consider the principles and the ground realities of human centricity (data control), decentralization in identifiers, distribution in data processing, heterogeneity in controls, and self-healing.
Area 2: Explore cyber security needs for special use cases (such as IoT, desktops, edge, Artificial Intelligence, etc.), with a focus on Artificial Intelligence and its needs for cyber security.
Area 3: Explore the effect of new and upcoming areas such as quantum computing, Web 3.0, and 5G wireless technologies on the current level of cyber security and on the new cyber security architecture. The objective is to build new guidance, standards, and technologies if current efforts fall short.
IEEE SA welcomes new participants from large and small corporations, academia, industry, and government agencies that are interested in this Cyber Security for Next Generation Connectivity Systems activity. Membership will be composed of, but not limited to:
- Providers of digital platforms, networks, products, and services
- Users of digital platforms, networks, products, and services
- Data protection authorities and other regulators
- Cyber security and privacy researchers
- Cyber security and privacy practitioners
- Privacy lawyers
- Identity specialist groups
- Data and information management specialist groups
- Infrastructure management specialist groups
- Data encryption and other control specialist groups
- Control audit and assessment specialist groups
- Digital human rights activist groups
- New technology area specialist groups (Artificial Intelligence, autonomous systems, quantum computing, Web 3.0, 5G/6G, etc.)
- Consulting firms
Deliverables and outcomes from Industry Connections activities may include documents (e.g., white papers or reports), proposals for standards, conferences, workshops, etc. The deliverables of this Cyber Security for Next Generation Connectivity Systems activity will consider the following:
- Test bed and proof of concept
- Use case guide (mapping the use cases)
- Guidelines for different implementations
- Guidelines to help ensure proper interoperability and compliance
- Proposals for standards based on the identification of issues
- Workshops and events
- Collaboration initiatives with other organizations