In June, Reeves Wideman wrote an article in New York Magazine entitled The Big Hack describing a fictional cyber attack on cars, hospitals, police dispatching systems, and, ultimately, water and power systems in New York City. In retrospect, the article may seem almost prophetic to some, given the series of attacks in recent weeks that affected a number of internet services – a hacking that occurred through everyday household internet-connected devices. While this attack was relatively limited in scope and loss, it caused many to start thinking about how long it will be until hackers become so sophisticated that they could cause wide-ranging damage.
However, as longtime experts in the cyber security field, the risks posed by the Internet of Things (IoT) has been a growing area for security risks that we have been looking at for many years. As a prosecutor, author Jonathan Fairtlough handled cases involving traffic jams in Los Angeles caused by the shutdown of computer-controlled traffic lights, the use of tracking devices and phone hacks to attempt to isolate and control another person, and the use of law enforcement and 911 services as a means to attack others. Author Alan Brill has been training military and government teams on cyber attacks at NATO’s Center of Excellence for Defense Against Terrorism for six years.
Internet of Things and the Law of Unintended Consequences
Cyber attacks on infrastructure facilities are real and are not just aimed at stealing credit card, banking, or medical data. We know that the infrastructure of Estonia was attacked during a dispute with Russia. We also know that the attacks on Crimea and Ukraine included offensive cyber operations directed against Ukrainian forces. We know that the control systems of a dam in upstate New York were targeted for attack by foreign hackers. Our experience tells us that not only are the risks real, but that if anything, they have been understated. It isn't just nation-states, terrorists, and hardened cyber criminals that can use these attacks. The manipulation of infrastructure and data can be used by disgruntled employees, angry ex's, and offended teens.
Why do we find ourselves at risk of having internet-connected devices ranging from power grids to elevators, light bulbs to "smart" refrigerators, and DVRs to automobiles – to potentially even implanted pacemaker/defibrillators – taken over by criminals, or even foreign government sponsored hackers? We believe that the primary reason that so many internet-connected devices are creating so many potential vulnerabilities is the law of unintended consequences. The law of unintended consequences is quite simple, actually. Actions, as we tell our children while they are growing up, have consequences. You may not think of those consequences when you’re planning to do something, or taking advantage of a new and efficient opportunity, but the unanticipated or unforeseen consequences nonetheless do exist.
We believe that the vast majority of the security flaws that make the IoT dangerous were never intended to cause problems. Rather, we believe that the developers of these systems never thought about the real-world risks faced by anything connected to the internet. We don’t think that the developers of baby monitors thought about the possibility of a hacker intercepting the data flowing between the camera and the receiver and either watching the images or even speaking to the child. If they had, we believe they would have built in appropriate protections.
Similarly, we don’t for a moment believe that the maker of a medical intravenous infusion pump intended to make its device easy to hack (so easy, in fact, that in 2015, the U.S. Food & Drug Administration issued an alert about those infusion pumps that had known cyber security weaknesses). The problems were severe enough that the FDA said, “We strongly encourage that health care facilities transition to alternative infusion systems, and discontinue use of these pumps.” In fact, in January 2016, the FDA released guidelines for medical device cyber security that included both planning and testing before devices are released and vigilance to respond to security challenges that are detected after the devices enter service.
Similarly, experimenters have demonstrated various hacking techniques targeting specific makes and models of cars. With new cars increasingly having internet connectivity, the risk of hacking grows. This risk has been recognized for a long time – we were quoted in an article on the subject in 2013 – but it wasn’t until researchers identified and publicized real vulnerabilities that the industry took the problem seriously, invested in personnel and processes, and made vehicle cyber security a priority during their vehicle development life cycles.
Internet of Things at Risk for Cyber Attacks From Hackers and Malicious Insiders
While it’s easy to focus attention on faceless “wizard hackers” in foreign countries, it’s also easy to forget the damage that insiders can play. This is nothing new. In June 1971, in connection with a labor dispute, bridge operators left 25 of New York City’s 29 drawbridges in an opened or partly opened position, causing massive traffic disruption across the city.
In 2008, then-Mayor Gavin Newsom of San Francisco had to have an in-person meeting (in jail) with an IT manager who had put in place passwords on key portions of the city government’s infrastructure and refused to give them to anyone else, because he felt that those above him in the city’s IT organization were incompetent. The prisoner gave the password to the mayor, and his $5 million bail (far more than for most murderers) was reduced. The network administrator was found guilty at trial and sentenced to four years imprisonment.
It’s also easy to imagine a sympathizer of a terrorist organization who is employed by a government agency as a network administrator serving as a “sleeper agent” collecting the rights and authority that would permit the person to carry out a significant and deliberate attack, or at least to provide the connection between the “protected” network and the remote attackers. This could be done with nothing more complex than a cell phone used as a Wi-Fi hot spot to provide a bridge into a computer attached to the targeted network. Unless and until governments adopt and enforce “minimum access” and “need to access” policies and implement strong controls over every privileged account on their networks, these risks will be substantial. Even with such policies, the risks will exist, but with effective monitoring systems, the risks can, at least, be managed.
Smart Homes and Cities Require Security-focused Development and Implementation
First, we believe that government agencies, businesses, and individuals who buy internet-connected devices have to insist that security be an important part of the development of those devices. We also believe that regulators and law enforcement agencies, such as the FCC, FDA, FTC, and financial industry regulatory bodies, have to make it clear that sub-par cyber security is unacceptable. Consumers aren’t equipped to independently assess the security of thousands of lines of computer code that may be embedded in cars, drones, medical devices, or even appliances. They have a right to commercially reasonable security both when products are developed and as they are used and new threats are identified. We further believe that a demonstration of continuing interest by Congress would help. Hearings do bring out important issues, and given that our government is one of the largest purchasers of off-the-shelf equipment from connected cars to digital communications gear, the government has a lot to lose if an IoT attack occurs.
Second, we believe that the insurance industry must evolve to develop better ways to provide coverage for cyber risks. Cyber insurance is a relatively new specialty, and while it is growing and evolving, there is no question that the IoT will complicate issues of coverage, damages, and claims.
Finally, we believe that companies must motivate their systems development and maintenance staffs to put a high value on security. This is something that must come as a strong and clear message from both the board of directors and top management. Anything less means that both the company and its customers are, knowingly or unknowingly, playing a no-win game of Russian roulette.
Read the article