RAND's Lillian Ablon Presents 'Lessons from a Hacker'


Jun 1, 2016

Illustration of data encryption

Image by agsandrew/iStock

As of this year, an additional 5.5 million devices and appliances are being added each day to the “Internet of Things,” a growing network that is expected to reach 6.4 billion devices worldwide in 2016. By 2020, connected devices should outnumber people by 6 to 1.

This was some of the outside research the RAND Corporation's Lillian Ablon shared May 25 during a presentation on “The 'Internet of Things': Lessons from a Hacker” at RAND's Santa Monica headquarters. Ablon, a cybersecurity and emerging technologies researcher, spoke at a RAND Policy Circle Conversation, a series of talks with RAND's most senior researchers for a community of philanthropic individuals committed to supporting RAND's objective research and analysis.

In addressing how an increasingly digital world is presenting new risks, Ablon spoke about the world's expanding cyber vulnerability, those who are out there to take advantage of those vulnerabilities, as well as consumer attitudes toward breaches. “The Internet of Things” and its increased and pervasive connectivity has added functionality to everyday life, Ablon says, but also has vastly increased the attack surface. And these “connected things” go beyond computers and smartphones to include toasters, refrigerators, pacemakers, lightbulbs and cars—essentially “computers on four wheels.”

“Functionality often trumps security,” said Ablon, a professor at the Pardee RAND Graduate School and the first female to win the Social Engineering competition at DEF CON's hacker conference.

In discussing cyber vulnerabilities, Ablon talked about human weakness, pointing out that people are “gullible, like to click on links, and like to open attachments.” She described a lack of focus on teaching developers to keep security in mind when creating applications, systems, websites, and devices used by billions of people worldwide, and few consequences when products have bug-riddled code.

As an example, she cited the potential dangers of software vulnerabilities in cars. While the software in modern high-end cars have approximately 100 million lines of code—with this number planned to grow to 200 million to 300 millions lines of code in the near future—she said car companies do not have standard procedures in place to develop and implement security patches.

When a software vulnerability in Jeep Cherokees was discovered, Chrysler mailed USB drives to more than a million drivers, for them to install the patch on their own (and plug an unverified thumb drive in—something security professionals often warn against). When Tesla needed to patch its vehicles, however, the company was able to install the patch directly into the cars through over-the-air software.

“There's no clear path from vulnerability,” Ablon said, adding that the threat is no longer just about crashing computers, but about the software crashing in cars or causing cars to crash. But everyone can play a part in creating a more secure world, she said. Consumers can hold vendors accountable; and manufacturers can implement “bug bounty” programs and support vulnerability research, so that companies can fix bugs before they are exploited; and policymakers can develop standards for methods of security patch deployment.

Ablon described the four types of cyberthreat actors: state-sponsored actors, such as those responsible for the Sony Pictures hack, who often believe they are acting within their own laws; cybercriminals, whose main goal is to make money, like those behind the data breaches at Target, Staples, and Home Depot; cyberterrorists, whose disruption of networks often results in violence, and whom Ablon described as over-hyped and mostly fiction; and “hacktivists,” who are politically or socially motivated, such as those behind WikiLeaks. She also said overlap can occur among the four groups: “One man's freedom fighter is another man's cyberterrorist.”

While there is no doubt that data breaches and cybercrimes are widespread—they have impacted more than 105 million American adults and about a quarter of American adults in the last year—what effect have they had on consumers? Surprisingly, not much, according to Ablon's research. Ablon found that 77 percent of consumers surveyed who had personal data stolen from a company were satisfied with the company's response and only 11 percent stopped doing business with company. “All in all, consumers are pretty forgiving,” she said.

“It's not possible to be 100 percent secure,” Ablon said, but the goal is to make it harder for potential cybercriminals. “Security is everyone's responsibility,” she said, from the company intern to the CEO.

The event, which RAND hosted with Morgan Stanley and American Funds, brought together leaders in business, finance and philanthropy. The previous day, Ablon spoke in depth on the Hackers' Bazaar, underground black markets where cybercriminals buy and sell the tools to carry out cybercrime attacks, as well as the stolen goods from those attacks, during a presentation at RAND's Santa Monica headquarters as part of RANDNext, a group of RAND's early- to mid-career philanthropic supporters.

— Sara Rouche