SESSION ID: MASH2-F02 First Do No Harm Mary Ann Davidson Chief Security Officer Oracle Corporation @heenaluwahine #RSAC #RSAC Agenda Caveats Impact of Technology Scenarios Medical Profession vs. Technology Profession What to Do? Conclusions Apply What You Have Learned 2 #RSAC Some Caveats … Technology can be an incredible power for good – …but with great power comes great responsibility Perfect isn’t achievable – …but “better” almost always is The only constant in life is change – …and that happens whether we like it or not Never underestimate the power of one person to change the world 3 The Great Myth #RSAC MORE 4 #RSAC Impact of Technology Positive and negatives to almost everything Connectedness Shortened attention spans Far more information, and the ability to harness information Greatly reduced privacy Risks many of us don’t see and can’t understand Have many of us ever considered the pluses and minuses of technology? 5 #RSAC Scenario 1: Connected Cars Connected cars have already been hacked – “All code has defects; some are significant” – No, ML and AI won’t make this all work Testing mechanical devices is straightforward – …testing code is far more complex Inability to maintain code for the life of the vehicle – …means far more mechanical waste The appeal of “break once; hack many” Confluence of technologies may empower precise targeting – Or massive disruption 6 Scenario 2: The Internet-Enabled Refrigerator What actual problem does this solve? Who else can see if you are out of eggs? Why does my kitchen need a firewall? Why is my refrigerator now part of a botnet? Can the software be maintained for the life of the refrigerator? In general, many mechanical devices do not need Internet connectivity and do not profit by them 7 #RSAC Scenario 3: The Nuclear Reactor Traditionally, access limited to selected, well-vetted people – Enforced by guns, gates, guards – Physical access required to control reactor – Result: limited, well understood, controlled risk “Connected access” may exponentially increase risk – Result: If you get it wrong, risk cannot be acceptably mitigated 8 #RSAC Is ‘More Technology’ Necessarily The Answer? 9 #RSAC Consider the Medical Profession The Hippocratic Oath: First Do No Harm Informed consent, including for clinical trials Extensive drug and device testing Understanding of side effects of treatments and medication Risk vs. reward calculation 10 #RSAC Consider the Technology “Profession” “More technology will solve technology-induced problems” Insufficient/uninformed consent Inconsistent testing Insufficient understanding of side effects Reward often trumps risk; systemic risk ignored 11 #RSAC “A Prophet Is Without Honor in His Own Country” 12 #RSAC #RSAC What Should We Do? Question the Potential Impact of Technology Does this (technology) solve a problem people care about? – “OMG, like, we need, like, an app to share TPPs with BFFs!” Does this potential technology solve a problem better, cheaper or faster than current options? – If not, why are we using it? Does this technology create externalities? Is the long-term total cost greater than the benefits? Does this technology create systemic risk? 14 #RSAC Broader Mechanisms for Change Improve educational systems (especially STEM programs) – Ethical considerations of technology must become part of curricula – Technology is ephemeral; ethical norms much less so – Example: Humanities division within the University of Virginia School of Engineering and Applied Science Industry and professional associations should develop a professional code of ethics Industry conferences should incorporate “ethics” tracks If we don’t start talking about ethical/acceptable uses of technology, nothing will ever change 15 #RSAC #RSAC What Can One Person Do? “Let Your ‘Yes’ be ‘Yes’ and Your ‘No’ be ‘No’” Learn to explain technological concerns in layman’s language – Incorporate economics, analogies, humor, popular cultural references…whatever works to make your point – My favorite: The Little Dutch Boy Enlist allies – Legal, human resources, privacy mavens, ethics and compliance hotlines… Build a community of ethically-aware technologists…and technology-aware ethicists 16 #RSAC Summary #RSAC Don’t Be This Guy 18 #RSAC Conclusions Technology-induced problems cannot (necessarily) be solved by more technology – By definition, systemic risk must be avoided We can only successfully use tec