As we move through each wave, the likelihood and impact of cybersecurity risk increases exponentially. Likelihood increases because we’ll be giving threat actors (and non-malicious actors) increased pathways to valuable targets that can help them achieve their financial and/or political objectives. Impact will increase because we’ll place important life and business necessities (e.g., banking, home security, oil refining) into a networked, inherently vulnerable grid. In the near term, we’ll see micro impacts (e.g., a manufacturing plant goes down, a car is “bricked” or functionally useless). Wave Three will usher in dramatic change. We’ll see macro impacts: smart buildings rendered non-functional, transportation systems in major cities grind to a halt, large-scale communication channel failures. The compromise of a single device may put the entire networked ecosystem at risk.
Recent real-world examples begin to illuminate the cyber-driven societal risk that will envelop us. In October 2016, the largest distributed denial-of-service (DDoS) attack to date struck Domain Name System (DNS) provider Dyn, causing major Internet outages across North America and Europe. Attackers used many Internet-connected devices (e.g., IP cameras, printers, digital recorders) that were infected with malware. In another case, the NotPetya wiper malware – which has destructive aims – recently spread across the globe with astonishing speed. It rendered infected systems useless by preventing the operating system from booting. Countless companies were affected, with many facing bottom line hits in the tens of millions of dollars.
Why are these risk scenarios plausible? What’s enabling the compromise of these intelligent things?
How do we mitigate these risk scenarios? At the core, it’s about swift, proactive action.
We have an advantage right now; a small window of opportunity to secure intelligent things while they’re still essentially toys. History shows us that bad guys will inevitably devise new tactics and tools to circumvent existing defenses.
Getting ahead starts with the consumers: businesses and individuals that purchase and use these intelligent things. Consumers must demand security, and make purchasing decisions with device security as a required feature. When consumers demand, manufacturers will listen. Not only will they need to embed security into the core of new connected devices, but also find ways to patch deployed devices and adhere to evolving standards. There are a lot of tactical movements that device makers can and should bring to life (See Booz Allen's Field Guide to IoT Security).
It’s also important that industry coalitions rally around cybersecurity and actually establish these standards, and set new norms. The Automotive Information Sharing and Analysis Center (Auto-ISAC) is a great example of a coalition that recognized cyber as a shared need, and collaboratively developed baseline security practices to implement industry-wide. At Booz Allen, we’ve seen this success first hand, as we drove
We’re in for an exciting experience as we ride the waves of connectivity throughout the coming years. But citizens, businesses, and governments must take proactive, vigilant action to reduce cyber risk, so our connected society dream becomes reality. Learn more from Booz Allen.