Tuesday, January 3, 2017

The Internet of Hackable Things

Trucks ramming into pedestrians. Bombs planted at public events. Random shootings and stabbings. These are easily observable acts of terrorism for which the perpetrating organization often takes clear credit. But as we progress through an increasingly automated world, one where e-communications of one form or another often determine policy and reaction and our real world systems are run by smart machines, we face an escalating threat of cyberattacks where the perpetrator often prefers to remain cloaked and untraceable. Bots. Malware. Data breaches. Diverting control. Yeah, that stuff.
If we are to believe the CIA, NSA and the FBI, Russia (with the full complicity of its strongman/president Vladimir Putin) pretty clearly actively intervened in American election-related communications to tilt the electorate away from Hillary Clinton and towards Donald Trump. Their method: pay a cadre of clandestine misfits a lot of cash under the table to implement the government’s policy directives – adding a layer of separation and deniability to their efforts. Unfortunately for Russia, some of those misfits spilled the beans.
Such threats strike at the core of our system of government, and I can easily envision where a rogue president might someday declare the American election system to be so untrustworthy that one or more entire election cycles are simply cancelled pending correction to such rogue president’s satisfaction. Fake news is apparently more relevant today than facts.
That is political terrorism, well within the bounds of foreseeability. But there is another form of cyberterrorism that will simply kill people through pre-programmed “accidents” inflicted by hacking systems governed by artificial intelligence or automation. It is invading that nebulous arena, very common today, where machines communicate with other machines: the Internet of things.
Look at some of what could happen. From a driverless car or truck that turns into a crowd of pedestrians, to a complete shutdown of a power grid, the destruction of our electronic financial infrastructure, the intentional meltdown of a nuclear power facility, disrupting GPS controls, to an oil storage/refining structure that suddenly dumps thousands of gallons of flammable liquid to flood a large area before igniting the mess, to medical implants controlled by outside monitors instructed by hackers simply to stop working, to the thousands of potential industrial accidents that wind up taking the lives of operators of automated assembly lines… well you get it.
If the news weren’t full of a litany of serious data breaches, we could just write all this off to a bad science fiction movie. But we know better:
“In mid-December, Uber put its first fleet of self-driving cars on the road in its hometown of San Francisco. The online transportation network company did so in the face of state regulators who say the company needs a permit to keep the vehicles on the road. By noon that first day, a video surfaced online showing one of Uber's Volvo XC90s, equipped with their ‘state-of-the-art self-driving technology,’ running a red light.
“Just a year prior, Chrysler issued recalls for 1.4 million hackable cars after a vulnerability in several models was discovered which gave hackers the ability to control vehicles remotely… ‘It will take some kind of major event to push this type of industry,’ Marshall Heilman, VP of Mandiant Consulting at cybersecurity firm FireEye, told AOL.com… ‘If you look at the automation of cars, obviously the government has to have some type of legislation and mandate to secure that environment. Otherwise, could you imagine if hackers were able to take over a bunch of cars and drive them around; that would be extremely bad,’ said Heilman… ‘Some type of event I think is going to have to occur before the government actually gets involved and sets those particular standards.’
“Heilman sees the trajectory of safety in the automation industry as analogous to the oil and gas industry. ‘Safety is the biggest thing that they worry about now,’ said Heilman of oil and gas companies. ‘And that's because since they've had a number of accidents over the years, the government has stepped in, and there are now all types of mandatory safety requirements and legislation around that particular problem…I expect to see a same thing in the automation industry,’ said Heilman…
“One field where security has seemingly yet to catch up to its innovation is the medical industry. While there have been considerable breakthroughs in defibrillator and other implantable technologies, research suggests these advancements may come with a price. ‘There are certain medical devices that are implanted in human beings that can possibly be hacked,’ said Heilman.
“In October of this year [2016], cybersecurity firm Bishop Fox backed an original report from short-selling firm Muddy Waters which claimed to find a critical and life-threatening vulnerability in Jude Medical Inc cardiac implants. If compromised, the report states that hackers could convert the company's Merlin@home patient monitoring devices into ‘weapons’ with the ability to cause cardiac implants to stop providing care, and even deliver shocks to patients… St. Jude has strongly disputed these claims, which are currently under investigation by the U.S. Food and Drug Administration.” AOL.com, December 26th.
We are constantly reminded by various governmental agencies that the United States remains exceptionally vulnerable and unprepared for these increasingly sophisticated cyberattacks. We also know that the United States itself engages in such clearly intrusive behavior, both defensively and offensively. It’s just the way it is. 2014 was a horrible year for data breaches. 2015 was worse. 2016 achieved new depths of hacking, breaking records. 2017 is upon us. How bad does it have to get there before we realize how important protecting our digital world has become?
I’m Peter Dekom, and I suspect that the United States might need to reallocate massive amounts of military budgetary proposals to focus much more heavily on what could cause enough damage to shut down the entire United States: inadequate cybersecurity.

No comments: