There are expected to be over 40 billion devices connected to the internet by 2020. Cyber attacks on these devices affect not only the online world, but can also lead to vulnerabilities in the physical world as well.
With the volumes of network traffic and activities in devices being very high and with attackers taking efforts to hide their operations, cyber attacks are often hard to detect. Diversity of attacking techniques and tactics further complicates the defenders’ task. In order to detect attacks and understand what attackers are doing, human expertise is combined with Smart Information Systems using machine learning techniques applied to enormous amounts of data.
Since parts of network traffic and device activity data can be very sensitive for the users, the defenders must be careful not to compromise the users’ privacy and other human rights. Great care in handling user data and avoiding flaws is SIS design and implementation is crucial for cyber security service providers. Besides, all digital service providers have to protect their SIS from breaches and manipulation, as their systems are attractive targets for attackers. Since the machine learning models that power SIS are often trained on data collected from user devices, it can be easy for attackers to inject data of their choice into training sets. Models trained on maliciously crafted data will result in systems that exhibit bias, allowing attackers to bypass security mechanisms, or even discredit the SIS owner. This important example of attacking SIS is known as model poisoning and it is difficult to defend against.
Challenges associated with building and utilising SIS in secure and ethical ways are faced not only in cyber security, but in almost every domain. Good practices, training, standards and appropriate incentives are required to support cyber security vendors and ensure that their SIS-powered services effectively and ethically protect citizens. What should the role of governments be in this? How much should governments regulate the use of SIS in cyber security and other domains? European General Data Protection Regulations ensures companies follow good security and privacy practices. However, as the ability to acquire and process vast amounts of global data grows, regulations need to be constantly updated and maintained. Following the European model, should other governments implement these kinds of regulations?