Cyber Strategist and Senior Associate at Booz Allen Hamilton
Our lives are being revolutionized by intelligent things. They promise to revolutionize daily life. Switch on a light in your home from hundreds of miles away. Your house, sensing that you left, automatically adjusts climate control. Your refrigerator pipes up when you’re running low on milk. A digital assistant reads your mail and updates you on the day’s breaking news.
We’re looking at a future where humans and machines connect, and seamlessly work together. As we watch all sectors of the economy, and all aspects of our daily lives, change due to connectivity, we need to think about this shift as a connected society. We’re seeking great technical progress, where we’ll reap countless benefits. However, this rapid movement toward connecting everything and everyone inherently generates serious cyber vulnerability and risk, such as loss of privacy, business stoppage, and the worry that intelligent things will jeopardize public safety—just to name a few. As we move through this evolutionary journey, citizens, businesses, and governments must take proactive actions to ensure our future is secure.
Generational waves of connectivity
The concentration on intelligent things dominates our lexicon, and we’re moving past hype and into productivity mode. It’s important we pull up from a device-centric point of view and look at the generational waves that we’re likely to experience along our journey toward a connected society:
- Wave One: Connected Things
- Wave Two: Connected Industries
- Wave Three: Connected Society
Today, we’re experiencing the initial groundswell: a taste of the future. Consumers and businesses are experiencing isolated instances of brilliance. Maybe your vehicle’s operating system updates overnight while in the garage. Perhaps your office building self-regulates its energy usage and security systems. We’re calling this Wave One, where things are coming to life—talking, communicating, doing. At the same time, certain industries are also beginning to implement connected technology. The connected driving experience, self-healing energy grids, and digital twin manufacturing—a simultaneous digital replica of a production process—are fueled by intelligent, heavily-networked systems. This process is what we call Wave Two, and it’s just beginning.
As we reach Wave Three, we’ll see citizens, businesses, and governments reaping a plethora of new benefits. Machines will be networked—and working together—at large scale, across all aspects of society. This is when we become a connected society. Here, artificial intelligence and other technologies will serve as a foundational decision-making power in our world, enabling massive leaps forward. Think autonomous transportation, disease diagnosis, and financial advising. Imagine this scenario: you visit your doctor for your annual check-up and have a set of health scans. This data is immediately available in your electronic medical record. This data feeds your financial planning app, which gives you customized recommendations for financial investments based on real-time life expectancy—based on that single doctor's visit. Industries start working together—and with us—to create a connected world.
This evolution is undoubtedly exciting, but we cannot afford to ignore the tradeoffs.
Security challenges increasingly put our ride at risk
As we move through each wave, the likelihood and impact of cybersecurity risk increases exponentially. The likelihood increases because we’ll be giving threat actors (and non-malicious actors) increased pathways to valuable targets that can help them achieve their financial and/or political objectives. The impact will increase because we’ll place important life and business necessities (e.g., banking, home security, oil refining) into a networked, inherently vulnerable grid. In the near term, we’ll see micro impacts (e.g., a manufacturing plant goes down, a car is “bricked” or functionally useless). Wave Three will usher in dramatic change. We’ll see macro impacts: smart buildings rendered non-functional, transportation systems in major cities grind to a halt, large-scale communication channel failures. The compromise of a single device may put the entire networked ecosystem at risk.
In October 2016, the largest distributed denial-of-service (DDoS) attack to date struck Domain Name System (DNS) provider Dyn, causing major Internet outages across North America and Europe.
Recent real-world examples begin to illuminate the cyber-driven societal risk that will envelop us. In October 2016, the largest distributed denial-of-service (DDoS) attack to date struck Domain Name System (DNS) provider Dyn, causing major Internet outages across North America and Europe. Attackers used many Internet-connected devices (e.g., IP cameras, printers, digital recorders) that were infected with malware. In another case, the NotPetya wiper malware—which has destructive aims—recently spread across the globe with astonishing speed. It rendered infected systems useless by preventing the operating system from booting. Countless companies were affected, with many facing bottom line hits in the tens of millions of dollars.
Why are these risk scenarios plausible? What’s enabling the compromise of these intelligent things?
- Our Legacy Systems...Endanger: The majority of today’s deployed connected devices are insecure because they weren’t designed with security in mind. Device makers are only now beginning to bake in security from the start.
- Our Help Desks...Disconnect: All devices have a limited technical support window. When they reach end of life, device makers no longer produce security updates. They are sitting ducks for attackers, as users often keep them connected.
- Our Designs...Flawed: In product design, performance and functionality requirements outweigh security concerns. Often, these devices are not designed for easy, remote updating (they’re not easily “securable”). Manufacturers focus on commercial interests rather than broader societal interests.
- Our Architecture...Vulnerable: The deployment of today’s architecture, such as how we mesh connected devices in a smart building, is not security-driven. As a result, this variety of device and network types creates exploitable gaps. Furthermore, device integrators are not thoroughly educated in cybersecurity practices, making matters worse.
- Our Governance...Anemic: We’re in the early stages of normalizing intelligent things. Connected device makers naturally have their own agendas, and without higher-order policy or pressures to incentivize the use of common technology standards, we’ll stay in this predicament. Organizations such as Open Connectivity Foundation and the Industrial Internet Consortium are developing standards. We’ll just need to entice manufacturers to adopt them.
How do we mitigate these risk scenarios? At the core, it’s about swift, proactive action.
Swarming cyber risk proactively can ensure our future
We have an advantage right now—a small window of opportunity to secure intelligent things while they’re still essentially toys. History shows us that bad guys will inevitably devise new tactics and tools to circumvent existing defenses.
We need swiftly developed policy that defaults to saying “yes” to innovation, and encourages broad adoption of common cybersecurity standards.
Getting ahead starts with the consumers: businesses and individuals that purchase and use these intelligent things. Consumers must demand security, and make purchasing decisions with device security as a required feature. When consumers demand, manufacturers will listen. Not only will they need to embed security into the core of new connected devices, but also find ways to patch deployed devices and adhere to evolving standards. There are a lot of tactical movements that device makers can and should bring to life (See Booz Allen's Field Guide to IoT Security).
It’s also important that industry coalitions rally around cybersecurity and actually establish these standards, and set new norms. The Automotive Information Sharing and Analysis Center (Auto-ISAC) is a great example of a coalition that recognized cyber as a shared need, and collaboratively developed baseline security practices to implement industry-wide. At Booz Allen, we’ve seen this success first hand, as we drove development of and now help operate the Auto-ISAC.
Finally, government must enable and encourage all this action. We need swiftly developed policy that defaults to saying “yes” to innovation, and encourages broad adoption of common cybersecurity standards. Governments have the unique positioning and ability to foster cross-industry behavior change.
We’re in for an exciting experience as we ride the waves of connectivity throughout the coming years. But citizens, businesses, and governments must take proactive, vigilant action to reduce cyber risk, so our connected society dream becomes reality.
Learn more from Booz Allen.