• United States



Revolutionary evolution: The Internet of things and things to come

Dec 10, 201212 mins
AppleCloud ComputingIT Leadership

Dan Geer and Jerry Archer cast an eye to the future as technology and the Internet evolve, and pose questions about the implications for security and privacy

The digital world is evolution, per se — continuous, rapid, radical, and, by now, so pervasive that it is the Internet which is driving human evolution. It is the Internet which makes possible the future envisioned by genomics researcher Juan Enriquez, one where we choose what and who we are. It is the Internet which allows Intel Fellow Mark Bohr to foresee that “in the future, chips may become integrated directly with the brain, combining AI/human intelligence and dramatically enhancing our cognitive and learning abilities. … lead[ing] to a “technological singularity” — a point in time when machine intelligence is evolving so rapidly that humans are left far, far behind.” Is not the coming of the Internet a “butterfly effect,” a change so profound that the world we know today simply disappears?

Cloud computing may very well be the flutter of that butterfly’s wing, altering most everything we know, including ourselves. Noted philosopher Thomas Kuhn cast revolutionary changes as paradigm shifts, where “a paradigm shift [is] a mélange of sociology, enthusiasm and scientific promise, but not a logically determinate procedure,” ergo the final outcome of such a change is beyond our ability to discern, and, like the “butterfly effect,” can (and will) have vastly different outcomes whose “first cause” are but tiny differences at inception.

[Dan Geer: International man of mystery]

Santa Fe Institute professor of economics Brian Arthur says that when complex technology becomes transparent to its users, the complexity vanishes and it is then that those users assimilate the change. IE: it is then that revolutionary outcomes are possible.

This is happening all around us today in what seems every aspect of our life, just look around! Apple has sold 250+ million plus iPhones, 38 million in Q1 2012 and 5 million in the first weekend after introduction of the iPhone5. It is not too difficult remember when Apple fluttered the proverbial butterfly’s wing with a simple, yet logical paradigm shift, evolving the iPod into the iPhone and thereby creating the smartphone, a profound change in technology and the way in which we touch the Internet — and, to the evolutionary point, how the Internet touches us.

Paleobiologist Stephen Jay Gould described evolution itself as “punctuated equilibria” — periods of stasis with little change beyond genetic drift ultimately broken by short periods of radical realignment across many species. The so-called “app store” is just such an example; a mutation in one species (vendor) that changed the selection (fitness) pressure on all species (vendors). Taking only Apple plus Android, the number of new applications greatly exceeds one thousand per day. The question for Gould, were he still alive, would be this: What is the evolutionary implication moving from rare punctuations of long-lived equilibria to constant punctuation of equilibria that are all but evanescent?

Revolutionary evolution is the future — a series of paradigm shifts with unpredictable yet profound effects. Precisely because we are building upon an interconnected foundation of complex technologies, any small change may be extremely amplified. That Apple app store (cloud service) offers 650,000 applications, has 400,000,000 credit card numbers on file, and has engaged in 30,000,000,000 transactions. In dollar terms, that is $7 billion in revenue for app developers most of whom can be called “cottage industry.” With respect to software development, this is revolutionary evolution.

[Software security basics for application development managers]

The cloud computing paradigm shift is fueled by near infinite MIPS and storage with near zero marginal cost. Coupled to an Internet of things, one can only predict fundamentally changing everything. Harvard Business School professor and researcher Clay Christensens theory of “disruptive innovation” is just another way of expressing an equilibrium punctuator, a paradigm shifter, but what if that disruptive innovation were to the continent of Africa rather than to an industrial sector? In the next 3 years smartphone technology will be put into the hands more than 200 million people, all able to touch the Internet not with computers, but with a transducer that obscures the underlying complexity and dramatically alters social interaction on an entire continent. The so-called “Arab Spring” could easily pale by comparison.

Philosopher Martin Heidegger, in his 1954 essay “The Question Concerning Technology,” describes technology not as something we build, but as something we “uncover and enframe.” The evolutionary change that is upon us is simultaneously centralizing that which has heretofore been decentralized and decentralizing that which has heretofore been centralized, and doing so in the midst of networking everything (the Internet of things).

Are we simply uncovering and enframing this change? D-wave has perhaps developed a quantum computer and claims the computing power of 10**29 PCs. IBM demonstrated a technique for increasing the density of storage devices by requiring not 1,000,000 atoms per bit but only 10. If made commercially practical, imagine 100,000,000,000,000 (100 TB) of persistent storage in a single small device. They (IBM) also showed how to make what today would be a supercomputer in the space of a sugar cube. Today’s cloud computing capabilities are only a whiff of what will, according to Kuhn, be unfathomable.

Consider future banking operations. With a personal orbit of thousands of devices an individual would have significant redundancy and thus losing data would be a thing of the past, unheard of in our then cloud-based world. It would be in the economic best interest of a bank to store all of your banking data on all your devices, and leverage your computing resource to move, alter and cryptographically ensure the integrity and authenticity of that data. A transaction would be performed by the bank, acting as a trusted third party, moving money from the payor’s device to the payee’s device. The bank would have minimal infrastructure and little IT cost, a significant incentive to move in that direction. Moreover, banks and other financial institutions today already have significant apps that are resident on individual smartphone, so this next logical evolutionary change, while relatively modest, would have profound and revolutionary effects on our financial system. As always, regulators would be so far behind as to be all but out of sight.

On a recent Doctor Oz television show, the Toto Intelligent Toilet II was characterized as something that would enable you to live longer. The Intelligent Toilet II is an Internet connected thing, not your ordinary toilet. Recording and analyzing important medical data like weight, BMI, blood pressure and blood sugar levels, and sending that data to trained physicians who can monitor your health and provide early detection for many medical conditions. The segment ended with the line “Trying to have a baby? Not sure when you are most likely to conceive? Ask your toilet for help.” Does that change everything about a trip to the potty?

Today, there are 10 billion devices connected to the Internet, 20% of which would be characterized as a computer. Such things as smart-phones, televisions, stereos, refrigerators, beds, cars, you name it! Perhaps the more compelling trend is the devices in your orbit are opportunistically communicating to each other. So your fridge can talk to your oven and decide what to make you for dinner based on what is in the fridge, or perhaps in a few months discussing your health with your bed and toilet to make sure you are eating the right things to improve your health, generating a shopping list to your grocery store to make sure you buy the rights things, not that pepperoni pizza which gives you heartburn and causes you to lose sleep, waking up tired and inattentive as detected by your new Mercedes Benz, which gauges your reactions while driving to determine if you are alert enough to drive and if not to signal you to pull off the road and rest or, subtext, stop eating pepperoni pizza before going to bed!

For want of a better term, let’s call this phenomenon “Massive Integrated systems of Smart Transducers” (MIST) the stuff clouds are made of. As we move to the cloud we are creating enormous amounts of MIST. Endpoints are more and more not computers but transducers. Everything from SCADA systems to SIRI on the iPhone to that Intelligent Toilet to Progressive Insurance’s “Snapshot” surveillance device to 36-row corn planters driven by GPS to personalized advertising informed by traffic analysis on social networks to standoff biometrics to auto-drive cars to bid-bots on eBay to …, the complexity of computing is hidden and the user of it willingly assimilated. Simply put “There is an app for that.” This change is profound, and now even a small evolutionary change rippling through this complex foundation can cause revolutionary results not only in the realm of technology but also in our society, our culture, and our governments.

[5 cloud security predictions]

Not long ago, the California Highway Patrol in an effort to curb speeding acquired reader devices for (the Federally mandated) automobile black box (“Event Data Recorder”), which as it turns out record the car’s speed over some extended period. If you were stopped for any reason the CHiPs would “jack into” your car and then compare your speed with the speed limits and if exceeded would issue you a speeding ticket — a dangerous precedent pointed out in the California Supreme Court ruling prohibiting such actions.

But could that ruling be overturned to protect the lives and safety of the driving public? Suppose the CHiPs could interrogate your car remotely, determine if you are driving impaired and tell your car to pull over and disable itself until an officer arrives and with probable cause provided by your car, administer tests to determine the source of impairment and execute an arrest if appropriate. Interestingly, your car could testify against its owner providing an analysis of your condition leading to the probable cause and subsequent arrest. Rental car agencies and maintenance-included leasing deals already use black box data to discipline drivers, reminding us that the word “voluntary” has a meaning in law that bears little resemblance to its meaning in conversation.

But even without directly implanted transducers of the sort described by Bohr, every nuanced movement or change in your orbit can be measured analyzed and correlated. So while there may be a temporary fear of direct transducer implants, your physical condition, actions and even intentions can be indirectly inferred from mega-sampling large number of interconnected transducers providing exactly the same result as an implanted transducer.

Dan Geer in a recent paper remarked “& remember that the Internet was built by academics, researchers, and hackers — meaning that it embodies the liberal cum libertarian cultural interpretation of “American values,” namely that it is open, non-hierarchical, self-organizing, and leaves essentially no opportunities for governance beyond protocol definition. Anywhere the Internet appears it brings those values with it (treating censorship as a routing failure, for example). Other cultures, other governments, know that these are our strengths and that we are dependent upon them, hence as they adopt the Internet they become dependent on those strengths and thus on our values. A greater challenge to their sovereignty does not exist. The challenge to our sovereignty is its dual — it is the choice of whether to commit our critical infrastructures to the Internet in the entire, to discard our fallbacks along with those who practice them, to bet the farm on a roll of the geopolitical dice.”

While we have tended to a personalized orbit in this essay, there is no doubt that a nuclear power plant is in the MIST and has a myriad of transducers in its orbit, as well as banks, the military, the government, and on and on, many of which will periodically cross paths and exchange data (whether deliberately or opportunistically) while in others orbits. In fact, might that be the future of how we learn of new products and services, how our transducers are serviced or upgraded.

This leads me to a few big questions: What is the meaning of security and/or privacy in the age of clouds and MIST? How will transducers and apps in your orbit be protected from intrusion, alteration, or service denial? Are laws or regulation needed to protect or govern devices? Would laws or regulation even help? Are you in control or entitled to be aware of the apps and transducers in your orbit? Would your apps or transducers have some sort of inferred or legal rights preventing you from turning them off or excluding certain ones? Is security merely a euphemism for control, and if so by whom? Is security evolving into an organic model perhaps one where your transducers have a kind of antibody that roams within your orbit identifying and destroying perceived malicious intruders, and if so what about the impact of false positives? Is everything we understand about security about to be obliterated? For that matter, is the meaning of “self” up for grabs?

From a professional perspective, are we security people obsolete, collateral refuse of a paradigm shift, the first and last of our kind, replaced by smart security bots — like The Matrix?

As Edward Lorenz describes the “butterfly effect,” a slight change in the initial conditions can (will) have vast impact on the outcomes. In the near future are fundamental changes in our perspective and implementation of security and privacy. Our professional thought leadership will have a profound influence on the future, enabling a safe and secure paradigm shift into the cloud and MIST. We must not simply let the future happen.

Jerry L. Archer is a co-founder and board member of the Cloud Security Alliance. Dan Geer is CISO with In-Q-Tel and a past president of USENIX Association.