As software continues to eat the world, there is an increasing pressure toautomate every aspect of society, from self-driving cars, to algorithmic tradingon the stock market. As this pressure manifests into software implementationsof everything, there are security concerns to be addressed across many areas.But are there some domains and fields that are distinctly susceptible to attacks,making them difficult to secure?My dissertation argues that one domain in particular—public policy and law—is inherently difficult to automate securely using computers. This is in large partbecause law and policy are written in a manner that expects them to be flexiblyinterpreted to be fair or just. Traditionally, this interpreting is done by judgesand regulators who are capable of understanding the intent of the laws they areenforcing. However, when these laws are instead written in code, and interpretedby a machine, this capability to understand goes away. Because they blindly fol-low written rules, computers can be tricked to perform actions counter to theirintended behavior.This dissertation covers three case studies of law and policy being implementedin code and security vulnerabilities that they introduce in practice. The first studyanalyzes the security of a previously deployed Internet voting system, showinghow attackers could change the outcome of elections carried out online. The second study looks at airport security, investigating how full-body scanners can bedefeated in practice, allowing attackers to conceal contraband such as weapons orhigh explosives past airport checkpoints. Finally, this dissertation also studies howan Internet censorship system such as China’s Great Firewall can be circumventedby techniques that exploit the methods employed by the censors themselves.To address these concerns of securing software implementations of law, a hybrid human-computer approach can be used. In addition, systems should be designed to allow for attacks or mistakes to be retroactively undone or inspected byhuman auditors. By combining the strengths of computers (speed and cost) andhumans (ability to interpret and understand), systems can be made more secureand more efficient than a method employing either alone.
PDF
download
878987797
028-85220240
