April 21, 2022 from 4:30 PM at Refectory of Augustinian Abbey at Mendel Square - Mendel Museum

Ross Anderson, Cambridge University

The sustainability of safety, security and privacy

Abstract:

Now that we’re putting software and network connections into durable safety-critical goods such as cars and medical devices, we’ll have to patch vulnerabilities, as we do with phones and laptops. But we can't let vendors stop patching after three years! So in 2019, the EU passed Directive 2019/771, which gives the right to software updates for goods with digital elements, for the time period the consumer might reasonably expect. In my talk I'll describe the background, including a study we did for the European Commission in 2016, and the likely future effects. As sustainable safety, security and privacy become a legal mandate, this will create real tension with existing business models and supply chains. It will also pose a grand challenge for computer scientists. What sort of tools and methodologies should you use to write software for a car that will go on sale in 2023, if you have to support security patches and safety upgrades till 2043?