We enjoy a connected world with a fascinating array of devices and applications at our fingertips, if not on our wrists or before our eyes. In just a few years, home networks have gone from supporting a few smartphones, tablets and laptops to scores of devices. Tomorrow’s average home could soon have more online connections than today’s small to medium-sized business. It seems everyone is now in the “IoT tech” business.
On the one hand, creating a hyperconnected, wonderfully ubiquitous internet offers extraordinary convenience and productivity; on the other, this expansion breeds complexity and broader security vulnerabilities that can impact ourselves and infrastructures.
To meet this challenge, we must pursue two parallel but related paths:
- Standards and policy: Tech industry leaders and government policymakers must collaborate to set security standards and policy roadmaps that advance and not inhibit innovation; and
- Consumer awareness: Often the weakest link, consumers need to be aware of their responsibilities, while technology innovators should be aware not to shoulder too much responsibility on consumers.
Today’s connected consumer has to do more than just install antivirus software and a firewall to reduce security risks. A connected lightbulb, toaster or washing machine could be an online fugitive’s weapon to commit a cybercrime that can disrupt or bring down networks. Home networks are only as secure as the gadget with the weakest security connected to it.
The same can be said for enterprise networks. Company and government networks employ sophisticated security capabilities. Yet, it can take just one unknowing employee to click a hyperlink or open a document and subject an entire enterprise to a spear-phishing attack, which remains the major source of breaches inside enterprise networks. Here too, the weakest link rests with a consumer-level user.
Yes, we have met the enemy — and it’s often us.
New technologies may be a game changer
The fragmented yet vast IoT landscape and lack of consumer understanding are already causing communication issues as brands attempt to lock users into their ecosystem. But the problems are much bigger than an LG toaster not talking to a Samsung smart refrigerator. When purchasing a smart TV, have you ever read the fine print in the instruction manual to understand how the software inside the TV is updated or how security patches will be applied? What’s the security risk to you when the manufacturer abandons software updates four years from now?
Cyberattacks on IoT devices and networks will continue to expand and evolve. If 1930’s bank robber Willie Sutton were alive in 2017, he might be asked, “Willie, why do you hack the internet instead of robbing banks?” Willie would almost certainly reply, “Because that’s where the money (or information) is.”
There is an explicit need for industry guidelines and standards to drive better compatibility and use of security around the devices used at home and at work. As a major user of IT, the federal government should facilitate dialogue and collaboration within industry to drive at better cyberstandards, particularly those that reduce complexity, if not responsibility, for the individual consumer. Adopting “secure by design” principles and increasing breach prevention capabilities, for example, can help close the risk aperture, but we need more to not only defend but apprehend.
Artificial intelligence and the machine learning that comes along with it offer much promise to advance a more preventive posture. On the inside, for example, we can more rapidly detect potential incursions through user and entity behavioral analytic capabilities and perhaps pattern of life analysis. By employing these and other big and dynamic analytics outward into the OS and dark web, we can identify threats before they hit our turf.
The way forward
As a kid who grew up with transistor AM radios, analog black-and-white TVs and rotary phones, I’m quite amazed by the fascinating technology we use at work and at home. My generation survived with four TV channels, and “Amazon” to us was a river with dangerous fish in Brazil. And as we watched Walter Cronkite, the most precious asset of the 21st century — the internet — was being designed.
Just as we have not fully grasped the internet’s potential, so too have we not grasped its security implications. Yes, we’ve become more aware, but lately, I fear we’re becoming desensitized to cyberattacks around us at a time when we as individual users hold more responsibility for preventing them. Most of us have experienced the inconvenience of a breach, yet most people don’t believe cyberthreats are their problem. Yes, technology can and should reduce the cyber-risk factor of the individual consumer, but there will always be risks that remain our problem … and it starts with education and awareness as part of a personal and enterprise mosaic of security.
In the time I was turning the analog dial on our family TV, the federal government led a comprehensive public awareness campaign to reduce litter and pollution, which included a famous ad featuring a crying 17th century Native American in the foreground. It worked. We cleaned up our country immeasurably. Industry also responded with more recyclable products. We took a similar course to the hazards of cigarette smoking.
A similar approach is needed to “clean up” our “cyber streets and cities,” beginning with focused campaigns to increase awareness and improve personal and organizational hygiene in our nation. At the same time, industry and government needs to do their part with public policy and standards that result in innovations that help us meet the threats and mitigate them substantially.
If we don’t deal with this effectively, we may never have to confront the tokenized “Cyber Pearl Harbor,” but we might feel a “cyber-erosion of confidence” that could be every bit as paralyzing to our lives, businesses and governments.
Security has always been everybody’s business. Just now, more so than ever.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.