Cyber Security for R&D

Innovation through experimentation, disciplined research & development, and in some cases just dumb luck has been a driving force in the world since the beginning.  It has enabled social and economic growth, but it has also toppled industries as well as entire societies who were upended by the advancement of others.  The pace of this change has grown faster over the centuries and is certainly more pronounced the past few decades with the ubiquity of computing that has unleashed a faster pace of change across all industries, all aspects of science, and in every corner of the world.

In March of 2017, I gave testimony to the US Senate Committee on Commerce, Science, and Transportation on the Promised and Perils of Emerging Technology for Cybersecurity.  In my opening comments, I told a story about a gentleman from the Midwest who underwent experimental eye surgery in the summer of 2015.  The man in essence had been outfitted with a high-tech pair of sunglasses with a camera with a video processing unit that was surgically connected to the patient’s brain to create an artificial retina – a prosthetic to enable vision.  The man had degenerative eye disease, losing most of his sight years earlier.  Ninety (90) days after the surgery on a fall evening as night had fallen and the moon had risen he recounted a Time magazine interview, “The other day I asked my wife Karen to point me to the moon to see if I could see it.  I couldn’t.  But I turned around and suddenly saw her face”.   He saw her face.  One that he had not seen in years.  That is the promise, the hope, of emerging technology.  To connect and enrich lives.  To create economic and social gains.  That is what research and development are all about.  This example required advancements in countless areas such as materials, information technology, biology, as well as surgical procedures. 

In my testimony, I also painted a darker picture - one brought about by cyber risks.  What if that “visor” used to enable sight was poorly designed, developed, and implemented.  What if like the rest of computing it was not secure enough and had the ability to execute malicious code.  What if that man or anyone with that device in the future looked at a QR code that could maliciously flip bits and a new form of ransomware emerged?  One that held your eyesight hostage until you paid in bitcoin to get your vision back.  That is one potential peril of emerging technology. 

As our opportunities grow so does our obligation to do right.  R&D needs to continue across all sectors into every corner of the world. Yet, we need to think about these obligations and the associated cyber risk with that R&D. This can easily be broken into two broad categories.

First, the protection of the R&D itself, the intellectual property and the economic value created by/for the inventor, whether this be an individual or an organization.  Over the years and in recent times, we have seen the theft of IP by nation states, organized crime, and those looking to profit from stealing knowledge and know-how from these innovators.  This is a national economic crisis that has the potential to jeopardize the future of our companies’ profits and the prosperity of our citizens.  We need to do more than complacently sit on our duty to protect this R&D. We have the power to increase legal protections, increase deterrence against nation state sponsored theft, and influence dramatic improvements in cyber security technologies to break the escalating risk cycle.

The other category, created by R&D, is the cyber safety of the technology.  We crossed the precipice several years back that anything with power is computing as well as communicating.  We have been sloppy in this R&D, especially when it comes to designing with security and privacy in mind.  There is often no attempt to anticipate threats and vulnerabilities during the beginning of the innovation cycle. This simple but crucial step could mitigate a significant amount of risk. The notion of minimal viable product where we think about security and privacy after capabilities are sold and installed is leaving us all exposed.  We are generating our own risk cycle due to our laziness, eventually leading to substantial economic, individual, and societal harm.  To address these concerns, every organization should have stringent but agile security development lifecycle efforts as well as privacy by design.  In addition, products should not be introduced in volume until we are confident, we can manage the potential cyber risks.  And while it may not be popular to say this, product liabilities should occur when harm is created- especially if this harm was preventable given the appropriate security and privacy principles were enacted and followed within an organization.

We have the opportunity to make advancements and we have the obligation to do it right.  The choice is ours to make … and if you do not make a choice, the choice will make you.