Our lives are being revolutionized by intelligent things. They promise to revolutionize daily life. Switch on a light in your home from hundreds of miles away. Your house, sensing that you left, automatically adjusts climate control. Your refrigerator pipes up when you’re running low on milk. A digital assistant reads your mail and updates you on the day’s breaking news.
We’re looking at a future where humans and machines connect, and seamlessly work together. As we watch all sectors of the economy, and all aspects of our daily lives change due to connectivity, we need to think about this shift as a connected society. We’re seeking great technical progress, where we’ll reap countless benefits.
However, this rapid movement toward connecting everything and everyone inherently generates serious cyber vulnerability and risk, such as loss of privacy, business stoppage, and the worry that intelligent things will jeopardize public safety—just to name a few. As we move through this evolutionary journey, citizens, businesses, and governments must take proactive actions to ensure our future is secure.
The concentration on intelligent things dominates our lexicon, and, we’re moving past
Today, we’re experiencing the initial groundswell; a taste of the future. Consumers and businesses are experiencing isolated instances of brilliance. Maybe your vehicle’s operating system updates overnight while in the garage. Perhaps your office building self-regulates its energy usage and security systems. We’re calling this Wave One, where things are coming to life – talking, communicating, doing. Simultaneously, certain industries are also beginning to implement
As we reach Wave Three, we’ll see citizens, businesses, and governments reaping a plethora of new benefits. Machines will be networked – and working together – at large scale, across all aspects of society. This is when we become a connected society. Here, artificial intelligence and other technologies will serve as a foundational decision-making power in our world, enabling massive leaps forward. Think autonomous transportation, disease diagnosis, and financial advising. Imagine this scenario: you visit your doctor for your annual check-up and have a set of health scans. This data is immediately available into your electronic medical record. This data feeds your financial planning app, which gives you customized recommendations for financial investments based on real-time life expectancy...based on that single doctor's visit. Industries start working together – and with us – to create a connected world.
“This evolution is undoubtedly exciting, but we cannot afford to ignore the tradeoffs.”
As we move through each wave, the likelihood and impact of cybersecurity risk increases exponentially. Likelihood increases because we’ll be giving threat actors (and non-malicious actors) increased pathways to valuable targets that can help them achieve their financial and/or political objectives. Impact will increase because we’ll place important life and business necessities (e.g., banking, home security, oil refining) into a networked, inherently vulnerable grid. In the near term, we’ll see micro impacts (e.g., a manufacturing plant goes down, a car is “bricked” or functionally useless). Wave Three will usher in dramatic change. We’ll see macro impacts: smart buildings rendered non-functional, transportation systems in major cities grind to a halt, large-scale communication channel failures. The compromise of a single device may put the entire networked ecosystem at risk.
Recent real-world examples begin to illuminate the cyber-driven societal risk that will envelop us. In October 2016, the largest distributed denial-of-service (DDoS) attack to date struck Domain Name System (DNS) provider Dyn, causing major Internet outages across North America and Europe. Attackers used many Internet-connected devices (e.g., IP cameras, printers, digital recorders) that were infected with malware. In another case, the NotPetya wiper malware – which has destructive aims – recently spread across the globe with astonishing speed. It rendered infected systems useless by preventing the operating system from booting. Countless companies were affected, with many facing bottom line hits in the tens of millions of dollars.
Why are these risk scenarios plausible? What’s enabling the compromise of these intelligent things?
How do we mitigate these risk scenarios? At the core, it’s about swift, proactive action.
We have an advantage right now; a small window of opportunity to secure intelligent things while they’re still essentially toys. History shows us that bad guys will inevitably devise new tactics and tools to circumvent existing defenses.
Getting ahead starts with the consumers: businesses and individuals that purchase and use these intelligent things. Consumers must demand security, and make purchasing decisions with device security as a required feature. When consumers demand, manufacturers will listen. Not only will they need to embed security into the core of new connected devices, but also find ways to patch deployed devices and adhere to evolving standards. There are a lot of tactical movements that device makers can and should bring to life (See Booz Allen's Field Guide to IoT Security).
It’s also important that industry coalitions rally around cybersecurity and actually establish these standards, and set new norms. The Automotive Information Sharing and Analysis Center (Auto-ISAC) is a great example of a coalition that recognized cyber as a shared need, and collaboratively developed baseline security practices to implement industry-wide. At Booz Allen, we’ve seen this success first hand, as we drove
Finally,
We’re in for an exciting experience as we ride the waves of connectivity throughout the coming years. But citizens, businesses, and governments must take proactive, vigilant action to reduce cyber risk, so our connected society dream becomes reality. Learn more from Booz Allen.