Here’s some advice to make internet hackers less frightening

Alex Alben, the chief privacy officer of the state of Washington, is paid to worry about the lawlessness of the internet. Photo by Adam Glanzman/Northeastern University

SEATTLE – Alex Alben is paid to worry about the lawlessness of the internet. The hackers. The unsecured networks. The fears of endless data breaches and intrusions. There will be no quick solutions, he acknowledged. But there should be reason for optimism.

“We’ve been here before,” said Alben, chief privacy officer of the state of Washington.

One century ago, a similar web of problems was spun from the assembly lines of Henry Ford and fellow automobile manufacturers.

“Within a short order of time, hundreds of thousands of cars came on the roads,” Alben said at a recent symposium held by the College of Social Sciences and Humanities at Northeastern-Seattle, a campus abutted by Amazon, Facebook, Google, and other online pioneers. “There were no laws then. You weren’t even required to have a brake on a car. You weren’t required to have a steering wheel. Cities didn’t have laws for whether you needed to drive on the left or the right.”

Alben and others who study smart infrastructure came to a sobering conclusion.

Years of speculation in cyber technologies have left us vulnerable. The promise of smart grids, efficiently-managed traffic, and a citizenry empowered by real-time data is being offset by hackers who steal, sell, and ransom our most valuable information.

“There is a corollary to climate change: We need to start taking action now,” Patrick Massey, regional director of Homeland Security’s office of infrastructure protection, told the symposium. “In the next couple of years, if we don’t get it right, we’ll deal with the consequences for a generation.”

The moral of the automobile age is that a framework of local, state, and federal laws was created eventually to bring order to the roads. But that response took much longer than a couple of years. And the issues of the new digital frontier are likely to be even more complicated, in part because people are just beginning to realize the wealth of private information that they are surrendering. Companies are exploiting your personal details because lawmakers have yet to tell them they can’t.

“My bias is that the citizen owns the data,” Alben said. “That should be your data.”

The European Union provides individuals with control over their personal data. But there is no such privacy law in the United States, which has enabled companies to collect information on anyone who uses anything with an IP address, a numeric designation that identifies its location on the internet, including millions of cars that are outfitted with black boxes.

“The public does not know how much data a car is actually reporting,” Alben said. “How do you opt out of it? There’s no way to, basically.”

The Internet of Things (or IoT, as many of the panelists referred to the billions of products that are connected online, such as smart refrigerators and self-driving cars) continues to grow with little regard for safety. And so the hackers, wherever they are, are encouraged to seize upon vulnerabilities like bank robbers of the wild west.

Uta Poiger, the dean of the College of Social Sciences and Humanities, attends the Smart Cities Symposium in Seattle on November 29, 2018. Photo by Adam Glanzman/Northeastern University

“We are implementing this Internet of Things to make a whole bunch of efficiencies happen,” said Michael Hamilton, president of CI Security, a cybersecurity firm near Seattle. “And we are expanding our attack surface immeasurably. All this stuff gets weaponized and taken over if it’s not deployed carefully.”

It can also be put to good use, of course. Uber provides real-time data on traffic and road conditions to local governments. If Seattle ever faces a need for evacuation, said Gabriel Scheer, director of government affairs and strategic development for the bike-and-scooter-sharing company Lime, his company will instantly release thousands of vehicles that can help people escape between the cracks of gridlocked traffic.

As much as Alben is encouraging a national discussion of privacy rights, he is also wary of knee-jerk or excessive regulation because “it could kill the technology or stifle innovation.”

The daylong conversation took an interesting turn when several panelists spoke of the need for backup systems in times of emergency. If the power is out and the online network is off, workers may need to understand how to manually shut down systems in order to prevent catastrophe.

“Your cell phone’s not going to work, the comm lines aren’t there, you can’t see what you’re doing right now, where’s your flashlight?” said Jonathan Richeson, a protective security advisor at Homeland Security. “We see the beautiful [high-tech] things that are going into facilities and how things are evolving. But we always have to remember that going back to the root of it is something that needs to be planned for.”

Workers must be able to manage the software as well as the hardware, said Emeka Anyanwu, the engineering and technology innovation officer for Seattle City Light, which provides electrical power to the city.

“For us it’s about getting utility professionals in dialogue with educators about what the curriculum and skill development should look like,” said Anyanwu, who referenced Northeastern’s role in providing students with hands-on training. “It’s [going to come from] these great internship and co-op programs that provide experiential learning.”

The terrorist attacks of Sept. 11, 2001, led to the development of FirstNet, a public-safety broadband network. A next step should be the creation of a real-time analytics center to manage threats and apply the lessons in a cooperative way, said Bill Schrier, a FirstNet senior advisor. If the idea is to build interconnected systems, then shouldn’t there be a network to enhance security?

“I’m not going to bore everybody with network segmentation and firewalls and all the stuff that we do to drive the likelihood of a bad outcome to zero,” said Hamilton. “And it will never be zero. I know this because one of the things my company does is penetration testing: We break into [client] networks, and we always win. What does that tell you? You are secure until your ticket is punched.”