Underfunding the future of cybersecurity and privacy concerns is costly. Using a freely accessible software interface, in September 2022, a cyber-breach captured 37,000 Medical Records, despite multiple layers of protection, and secure APIs deployed by a telecommunications giant. In the attack, data was appropriated from former and current clients – including names, email addresses, passport details, home addresses, birthdates, phone numbers, and driving license numbers. The 2.8 million people whose license and passport numbers were stolen became vulnerable and wide open to the global risks of identity theft and fraud. As distraught citizens scrambled to protect themselves, they believed that the cost to replace these documents should not be their responsibility.
The perpetrator requested $1M in cryptocurrency, payable in seven days, failing which the data would be sold off in packets. The data breach that may have originated overseas affected 10M customers amounted to about 40% of the population of the host country. Vituperative and acrimonious ransom threats and tense public exchanges and scrutiny followed, as data snippets published on an online forum confirmed the authenticity and the provenance of the information.
Although the purported hacker was spooked by digital anthropologists and police cyber units, and subsequently deleted the post – the now-deleted datasets were already copied and distributed for wider circulation by others, who lurked in the background waiting to cash in on the confusion and the chaos. One view that emanated from this cyber incident is that governments should enact legislation to penalize companies that allow such breaches to occur.
Others argued that certain types of companies should not be allowed to keep sensitive information for long periods of time, and that ex-clients must have the right to have data sets about them scrubbed from the system completely. In some jurisdictions, identity data can be kept for a maximum of six years under the existing local rules. In other quarters the feeling was that consumers should have the authority to take companies that lose their information to court rather than the industry Regulator.
On August 9, 2022, the U.S. Government approved a new CHIPS and Science Act. The Act authorizes the most extensive publicly funded five-year R&D program in the history of the United States. The aims are to fund a future that has a more inclusive STEM workforce, rebuild semiconductor capacity, create regional high-tech hubs, and jump-start R&D and commercialization of forward-leaning technologies such as nanotechnology, quantum computing, AI, and clean energy. As much as 85% of productivity growth in the U.S. has stemmed from technological advances. Much of this growth finds its footprint in public-private partnerships.
In Canada, in September 2022, a “supply chain compromise” occurred when hackers tampered with a popular software distributed by a small Canadian company that provides customer service products, such as chatbots and social media management tools to a host of global clients. The scale of the hack was not immediately quantifiable. CrowdStrike researchers hypothesized that the malware circulated for many days ahead of its detection, and was unable to estimate how many companies were infiltrated, but could only theorize that the effect of the intrusion was across a range of industries.
Supply chain compromises – which work by tampering with enterprise software to hack downstream users – use “springboard” companies as windows to attack critical infrastructure like air and sea ports, oil and gas infrastructure, refineries, power stations and waterworks, rail transport, Security Operations Centres (SOCs), and Disaster Preparedness Early Warning Systems. Already a burgeoning area of concern is the Connected Car. Of particular importance is the cyber security risks around connected cars. Hackers who can access the internal networks of a car can take control of the electronic control units (ECU) that control infotainment and cabin communication systems, climate control systems, and the navigation GPS units. They can also attempt to neutralize vehicle alarm systems, the engine, brakes, and steering systems. These breaches can also compromise the privacy of a driver’s data and can threaten the viability of the roadmap toward autonomous vehicles.
The possible number of potential points of attack in a connected car is high, as the number of vehicle nodes (ECUs) keeps increasing to support the demand for additional functionalities. The average vehicle contains about 30 units, and complex vehicles can house up to 100 units. Each unit embeds dedicated operating software and so the systems in a connected car can contain hundreds of millions of lines of code.
Blockchain is already emerging as a possible model to manage car cyber security. A blockchain is a cryptographic or encoded distributed ledger, comprising a digital log of transactions that is shared across a public or private network. Blockchain would allow an efficient validation of transmitted information from a network of distributed nodes. Open networks using smart grids can allow distributed nodes to engage in vehicle-to-vehicle connectivity using blockchain.
In an autonomous driving environment, this would permit the reliable validation of the flow of position, speed, and route data exchanged between vehicles and traffic infrastructure to mitigate collisions and improve data security. Blockchain in cars could also be utilized for automatic micropayments using clickwrap contracts for Over-the-Air updates. Lagging behind in cyber security is no longer an option.