Security, What Security?

There has been a recent spate of high-profile online security breaches in Australia. Private details of millions of individuals were stolen from the watchful eyes of multi-billion dollar companies and possibly sold on the dark web. Like many other people, I, too, have been alarmed and examined this problem from many perspectives. Before any further discussion, in full disclosure, by profession, I am not related to the security industry or have any formal qualification to be a subject matter expert. My motivation is grounded in being a concerned citizen and presenting an alternative view on how Machine learning (ML) and Artificial Intelligence (AI) can prevent future breaches.

Cause and Effect

In this connected world, hardly anything happens in isolation. There is always cause and effect. Instead of dollar figures, let’s focus on the human cost of a security breach.

• A few years back, a colleague lost his laptop and some pen drives. Security or privacy was not on his mind. He was more concerned about the cost of replacing the pricey laptop. A few days after the incident, someone called him, claiming to have his laptop. When probed about how he found out about my friend's phone and address, he replied it was on one of the word documents in the pen drive; he was not sure that the person he was calling was the owner of the laptop, he just took a chance. Anyway, the matter was resolved, and the laptop was returned. Connecting the dots backwards, what unsettled my colleague later was knowing that someone out there had gone through his private documents and photographs and was fully aware of his family, where he lived etc. Now take this sinking feeling and multiply this by a few million individuals.
• All of us have, from time to time, received a phone call from eager telemarketers or online advertising, selling things that we may or may not need. If the transaction were to go ahead, we might have to provide them with our contact details and where to send the product or services. I would like you to pause and reflect on where they are calling from and the information you have provided about where it might end up.

When we part with our private information to commercial entities or social media sites, no matter how benign, there will always be cause and effect.

Security and World of Vendors

Let’s start this topic with a few idioms and buzzwords that will come in handy later, “ Kicking the can down the road.”, “Let sleeping dogs lie” and “Outsourcing”.

Throughout human history, if there is a need, eventually, there is a supply. The IT security world is not immune to this. Over the last few decades, a hoard of vendors has cropped up, claiming to be the very best in what they do. Not only do they provide software or hardware components that go into the making of a secure system, but they also have various certifications on security guidelines and system deployment.

What all of this means is that companies are more inclined to write a cheque and “outsource” the problem rather than dealing with it internally; I mean, who does not like “kicking the can down the road.”

Don’t get me wrong; this is not a blame game because those who try to do this their way also get ridiculed for not following industry best practices or putting private information at risk.

Finally, let's turn our attention to? “let sleeping dogs lie”. A few years back, I was planning to run a Large ML experiment, and by large, I mean more computing, more memory, multiple servers and, in the end, more dollars. I costed the experiment with our own (well-known) cloud provider and provided an alternative with a lesser-known cloud provider. Needless to say that the lesser-known provider was at least four times cheaper than the first.

Happy that I? finally had a cheaper alternative, my manager decided to explore that option. This was all good until the security team walked in and sensibly alerted us since we accessed the system outside the company's core infrastructure. I was told it just could not happen because that cheaper provider is not industry or vendor certified, and that is it.?

Mind you, the core computing infrastructure provided by both vendors was precisely the same in terms of specs and connectivity. When I probed with the security team why that is the case, the response I received was, “let sleeping dogs lie”. In my experience, security can sometimes be shrouded in the psyche of fear without rational thoughts. That can not only leave us vulnerable but also hamper economic and more creative outcomes.

So with all the vendors, guidelines and certified individuals floating around, why do data and data privacy breaches happen?

The Two Faces of Security.

To paraphrase Edward Snowden, “ you cannot make a system secure for the bad guys and insecure for the good guys.”. Security has always been a zero-sum game. Let's generalise this thought to the procedures of the security industry regarding the equipment they sell and the guidelines they publish.

Every year multiple vendors lead security conferences where all the latest tech and defences are up for display. But here is the thing, when vendors talk about how they can protect your information and secure your network, both security experts and hackers are listening. Let’s face it; if you are going to be in the business of stealing privileged information by default, you have to know the vendor's equipment and security guidelines better than the internal security team does. How else will you get past them?

Is blaming individuals worthwhile?

Over the years, whenever there has been an airline accident, especially where there are fatalities, the first instinct is to look for human error, often from the pilot. It's convenient and gets the significant players off the hook. IT security is no different; blame it on an individual or a few. That way, the rest can sleep easily. I must agree there is some truth to this, simple password, expired password, click on a link, and social engineering, to name a few. According to OAIC, 41% of the breaches are directly attributed to human error, and over 60% are some combination of human and social engineering. Only 4% are attributed to System or vendor fault.

The key takeaway is whether it is the people or the system. This obvious breach was not anticipated by the security experts or vendors despite repeatedly happening. When we turn this into a combinatorial problem search space for possible breaches is not very big.

How can Al and ML help?

No, not the ones floated by the industry or vendors; frankly, when I was doing the research for this article, I came across so many buzzwords related to security AI and ML my head started to spin. When I looked closely, they turned out to be just heuristics.

AI and ML can help in many ways; however, to keep things focused and concise, let's just focus on one thing, “Protect what matters the most.” When hackers break into systems or networks, what gets the maximum bang for the buck is customer private information; in most cases, that is what they are after. The recent two public data breaches in Australia were all about customer data. This is also the form of hacking that grabs news media attention. This kind of data also has a maximum dollar value, as ransom or out on the dark web.

The effects are not limited here; when there are mass break-ins like this, it has severe financial implications for the company involved. The public trust is mostly gone.

NN, I am not just a pretty face.

Often Neural Networks get the most headlines for their ability to generate pretty pictures. What gets less media attention is their ability to discover new things. Here are a few examples.

• Deep mind NN to discover 3D protein structure.
• AI-based new drug discovery.?
• New methods were discovered to play games like GO and Chess.
• AI discovers new synthetic music and style of painting etc.

One thing common in all of the above is that these were all discovered by AI and ML without any human intervention.

This could be the start of something new.

So here is the basic idea. Inspired by the same generative methods, I started designing a? generative NN whose sole purpose was discovering new Hashing algorithms. Once trained, NN could generate over 1000? in a matter of a few weeks; the stability and security of each algorithm were comparable to SHA256. I am confident that given a vast combinatorial space to choose from, we can generate one of each person on the planet.

To be perfectly clear, these algorithms are mostly variations of SHA because this was more a case of a curious experiment rather than a full practical implementation. Only Security experts or Cryptographers can assess the quality of generated hashing or encryption techniques.

The End Game: Some possible solutions

• Once the onboarding of a new customer takes place, all personal information is destroyed, and only encryption is recorded.

• ?At this point, a unique hashing AI-assisted algorithm is generated.

• The algorithm is shared between the customer (Smartphone) and the company so that both are required to decrypt the data.
• All customer data is always kept encrypted using AL-generated unique encryption algorithms.
• Whenever the customer needs to identify or have private information accessed, for whatever reason, decryption can be based on two-way communication and biometrics; nothing is ever identified over the phone or the web.
• Biometrics works both ways, the person accessing that information and the individual giving consent to access that information.
• Like the iPhone fingerprint chip, the entire set of Bio-metrics can only be authenticated from special ASIC chips on the company side.
• One can think of this as a more sophisticated way of 2-factor authentication.
• Even if a phone is lost, the only loss is limited to that individual.

• Data can be acquired again, and new encryption generated, old encryption discarded.

Let's put some icing on this cake. We can further train a NN to predict unique decryption events or per time interval basis and regard anything as an anomaly when predicted decryption events do not match the observed within some tolerance band.

The Only Safe Computer?

The only safe computer is the one whose hard drive has been crushed, CPU fried, disconnected or kept in a vault. Having said that, I mean that there is no such thing as absolute, unbreachable security; I am sure people will find a way to breach even the most secure AI-encrypted systems. It is all about raising the ante. Most people or groups involved in personal data breaches are opportunistic; they always go for the low-hanging fruit. Taking on an AI-driven system like this will be beyond their capability for a considerable future.

What next?

Vendor-provided security is suitable as a baseline. However, companies, especially those with the resources, would have to develop these technologies independently. Time and time, it has been proven that outsourcing security may make good scapegoats; however, they do nothing to solve the ongoing problems. Organisations must invest in research labs to engineer proactive solutions for their unique circumstances and requirements. Resources need to be invested in real solutions rather than in a false sense of security acquired through outsourcing their problems.

References:

• https://www.acma.gov.au/optus-data-breach
• https://www.abc.net.au/news/2022-11-19/medibank-customers-speak-of-data-breach-impact/101668160
• https://developer.nvidia.com/blog/designing-arithmetic-circuits-with-deep-reinforcement-learning/