John Manferdelli, Northeastern University
John Manferdelli, most recently director of the Northeastern University Cyber Security Center, stated that three elements are central to intelligence collection: sensors and the data generated from them, analysis, and aggregation. Of these three topics, his presentation focused on sensors and data, offering a few thoughts on analysis and aggregation in his summary.
In the past, he noted, collection systems have been “exquisitely” designed to access one channel of data/information and have worked well. However, he argued that changes in the timescales of development, capabilities, and costs of new data streams (and the sensors that create them) require a new look at old collection models.
The explosion of devices, systems, and infrastructure that utilize sensors and create or share data—the Internet of Things (IoT)—requires the Intelligence Community (IC) to consider them, he noted, as both a creator and collector of information. He defined IoT devices as “small devices that contain digital processors and memory, just like your computers. The mobile phone is an example of an IoT device.” He presented the following points:
- IoT devices are ubiquitous, cheap, constantly changing, and lack many—if any—security features.
- They are low cost and built at scale.
- They are physically accessible, enabling off-network attacks.
- They generate and collect a lot of data.
He summarized by noting: “They sense and control everything in the future.”
Manferdelli explained that IoT devices are components of important infrastructure used throughout society, citing their use in cars, hospitals, and medical devices as examples. Other examples included security cameras (e.g., home security systems) and robot vacuums. He highlighted that personal information is often stored and readily accessible in many such systems.
IoT devices, he explained, contain the following basic components: buses and interfaces; communication stacks; processors; sensors; and memory. He noted that a single standard chip—thousands can be made on a single wafer and are easily mass produced at low cost—contains many of these components.
To support his statement that IoT devices are ubiquitous, Manferdelli presented the following statistics (which are rough estimates):
- Number of ARM1 processors deployed per year: 12 billion
- The new Mercedes S-class has 63 microprocessors
- Number of laptops: 160 million/year
- Worldwide technology spending on the IoT to reach $1.2 trillion in 2022, attaining a compound annual growth rate (CAGR) of 13.6 percent over the 2017-2022 forecast period.2
- The United States dominates IoT services and software but not hardware production.
He noted that these statistics underscore the rapid pace at which the use of IoT devices is expanding, evolving, and developing, while
1 An ARM processor is a type of processor developed by Advanced RISC Machines.
2 According to International Data Corporation (IDC).
infrastructure, regulations (including those related to security), and bureaucracy moving much more slowly. To highlight the impact of this difference, the United States was early to integrate IoTs into its infrastructure—using early-generation chips and sensors. This is unfortunate, he added, because early IoT devices lack security features, and regulation to improve security has been slow to develop.
Even the current generation of IoT devices lacks sufficient security features to thwart someone with basic training in electronics from gaining access, he stated. He also provided many examples of homework problems that he assigns to undergraduate students including the following:
- Log into an IP camera and change parameters (see the reverse-engineering exercise).
- Modify a router’s operating system or firmware.
- Use updated software to implement a side channel using an LED or speaker.
- Reverse engineer a child’s toy (say a remote-controlled tank) and take control of it.
Manferdelli stressed that the speed of change in technology advancements can help promote better security because adversaries developing tools to access IoT devices that are constantly changing must also adapt. “Nothing frustrates adversaries more than collection systems that utilize multiple channels and are constantly changing,” he said. The exquisite collection systems he mentioned earlier, he said, are vulnerable to adversary attack because they usually are designed to access one channel of information and require long timeframes to change or be updated (per acquisition cycles and the complexity of system). He also highlighted that the development of policy for collection or attribution is another effort that moves slowly. He suggested that a shift from a mindset that the United States “must
get this right” to a risk-based approach would accelerate actions and added, “[I]t doesn’t help to be 99.9999 percent certain of something 2 years after it matters. Sometimes a more balanced judgment alerting people to what might go wrong would be more helpful.”
In addition to data collection, Manferdelli also discussed sensors and their expanded use as they become less expensive. He highlighted nuclear and chemical sensors, noting that chemical sensors are more likely to proliferate in the short term. Other sensors currently in wide use and inexpensive are accelerometers, GPS, gyroscopes, temperature, pressure, and others. He argued that much could be learned from collection systems based on these simple sensors. As examples, he noted that pressure data (i.e., altimeters) might provide location information in San Francisco. He also observed that by geo-fencing (using locational technology to define a geographic boundary), the room in which the workshop was held, an adversary could access the cell phone IDs of the participants and later track everyone’s location.
In summary, he explained that aggregation is an important collection component, and it currently requires higher-level, sophisticated systems and analysis. However, with the amount of data created and collected by IoT systems, he concluded, “The dirty secret is not so much that the algorithms are [advanced], but that the platforms can handle a lot of data. And once you have identified new data at some scale, you are going to find something new. You could be the biggest dope in the world, but you will find something new.”
Robert Dynes, ICSB chair and a planning committee member, asked what percentage of students in Manferdelli’s class are non-U.S. citizens. Manferdelli answered, “More than half—some go to industry, but increasingly they return to their home countries.” Dynes also asked where IoT devices will be in 2 to 3 years. Manferdelli thought that the following two areas will experience large change: (1) better processing capability so that more analysis will be done at the edge, which could be especially important for image processing; and (2) chemical sensors.
Mim John, workshop chair, noted that IoT devices introduce many vulnerabilities. She asked, to what extent are other countries becoming dependent on these devices? and what are our [the United
States’] opportunities for exploitation? Manferdelli responded that there are many opportunities, but they are tempered by two things: (1) many countries are using more recently developed IoT devices that have simple security protocols to block attacker access (but one can work to get around them); and (2) the United States should stop depending on “exquisite systems.” Rather, he suggested, the United States should think carefully and build a good but not an exquisite system. And then it should be ready to change things quickly.
John responded that a focus on nimbleness would represent a mindset change for United States’ collection capabilities. Manferdelli said that, for now, he believes that the offensive guys (i.e., attackers) still have the advantage—and will continue to have a relatively easy time—if defenders do not react and add defenses.
Mallory Stewart, a planning committee member, described how spoofing can add significant uncertainty to analysis, which then greatly extends attribution decision timelines, potentially resulting in no attribution at all. As an example, Manferdelli recalled an infamous cyberattack with which he was personally familiar outside of government. Formal attribution took a year or more, but he related that his team knew the origin of the attack the next day. He noted that appropriate confidence levels in attribution can vary, but that it is important to be comfortable with less certainty in some of these situations. Stewart responded that there is no adhered-to international standard to provide confidence in the attribution process so that it can be relied on. She asked whether there was any way to progress toward such a standard. Manferdelli said that the policy and doctrine would be very difficult to develop but may become easier as organizations such as companies become more skilled at attribution.
Nancy Jo Nicholas, another planning committee member, wondered about the rise of the individual and how these tools make it easy for an individual, and not a whole nation–state, to attack. She asked whether hubris might be a motivator—”Look what I can do”—or whether that can be readily separated from an actual nation-state attack. Manferdelli replied that if individuals can figure out a way to make money on something, they will do it—that in the majority of cases for individuals, money will be the motivator. He observed that
nation-states tend to be naturally conservative, and if one has some resilience and can introduce deterrence, that can be effective against attacks.