In October 2017 your digital video recorder — or at least a DVR like yours if you have one online — took Twitter off the internet.
Someone used your DVR, along with millions of insecure webcams, routers, and other connected devices — Internet of Things devices (IOT), to launch an attack that started a chain reaction, resulting in Twitter, Reddit, Netflix, and many popular sites going offline.
I kid you not! You probably didn’t realize that your DVR or Smartphone has that kind of power.
But it does. All computers are hackable. This has as much to do with the computer market as it does with the technologies.
We prefer our software full of features and inexpensive, at the expense of security and reliability.
That your computer or Smartphone can affect the security of Twitter is a market failure.
The industry is filled with market failures that, until now, have been largely ignorable.
As computers continue to permeate our homes, cars, businesses, these market failures will no longer be tolerable.
Our solution possibly will be regulations, and that regulation will be foisted on us by a government desperate to “do something” in the face of disaster.
The COVID-19 pandemic is an example that totally changes our way of thinking.
How do we now regulate? I’m highlighting the problems, both technical and political, and point to some regulatory solutions.
We also need to revise the trend to connect everything to the internet.
And if we risk harm and even death, we need to think twice about what we connect and what we deliberately leave uncomputerised.
If we get this wrong, the computer industry will look like the pharmaceutical industry, or the aircraft or tourism industry.
But if we get this right, we can maintain the innovative environment of the internet that has given us so much. We no longer have things with computers embedded in them.
We have computers with things attached to them. We wear computers: fitness trackers and computer-enabled medical devices — and, of course, we carry our Smartphones everywhere – GPS tracking our moves.
Our homes have smart thermostats, smart appliances, smart door locks; even smart light bulbs maybe not so much in Fiji but you get the picture.
The internet is no longer a web that we connect to. Instead, it’s a computerized, networked, and interconnected world that we live in.
This is the future, and what we’re calling the Internet of Things (IOT) Broadly speaking, the Internet of Things has three parts.
There are the sensors that collect data about us and our environment: smart thermostats, street and highway sensors, and those ubiquitous Smartphones with their motion sensors and GPS location receivers.
Then there are the “smarts” that figure out what the data means and what to do about it – big data.
This includes all the computer processors on these devices and — increasingly — in the cloud, as well as the memory that stores all of this information.
And finally, there are the actuators that affect our environment.
The point of a smart thermostat isn’t to record the temperature; it’s to control the furnace and the air conditioner.
Driverless cars collect data about the road and the environment to steer themselves safely to their destinations.
You can think of the sensors as the eyes and ears of the internet.
You can think of the actuators as the hands and feet of the internet. And you can think of the stuff in the middle as the brain.
We are building an internet that senses, thinks, and acts. It’ll also get much more dangerous.
I continuously warn governments and people of this. Computer security has been around for almost as long as computers have been.
And while it’s true that security wasn’t part of the design of the original internet in a bygone era, it’s something we have been trying to achieve since its beginning.
I have been working in computer security for over 25 years: first in telecommunications infrastructure, data networks, then more generally in Internet and network security, and now in general security technology.
I have watched computers become ubiquitous.
Today, the integrity and availability threats are much worse than the confidentiality threats.
Once computers start affecting the world in a direct and physical manner, there are real risks to life and property.
There is a fundamental difference between crashing your computer and losing your spreadsheet data, and crashing your pacemaker and losing your life.
This isn’t small stuff; recently researchers found serious security vulnerabilities in St. Jude Medical’s implantable heart devices. Give the internet hands and feet, and it will have the ability to punch and kick.
We have a practical problem when it comes to internet regulation.
There’s no government structure to tackle this at a systemic level. Instead, there’s a fundamental mismatch between the way governments works and the way this technology works that makes dealing with this problem impossible at the moment.
Government operates in silos. Ministries have their separate priorities. Compare that with the internet. The internet is a freewheeling system of integrated objects and networks.
It grows horizontally, demolishing old technological barriers so that people and systems that never previously communicated now can.
Already, apps on a Smartphone can log health information, control your energy use, and communicate with your car.
That’s a set of functions that crosses jurisdictions of at multiple government agencies and even countries, and it’s only going to get worse.
This has lots of precedent. Many new technologies have led to the formation of new government regulatory agencies.
Trains did, cars did, planes did. Radio led to the formation of the Federal Radio Commission, which became the FCC.
Nuclear power led to the formation of the Atomic Energy Commission, which eventually became the Department of Energy.
The reasons were the same in every case. New technologies need new expertise because they bring with them new challenges.
The internet has famously eschewed formal regulation, instead adopting a multi-stakeholder model of academics, businesses, governments, and other interested parties.
My hope is that we can keep the best of this approach in any regulatory agency.
Here’s the thing: Governments will be involved, regardless. The risks are too great, and the stakes are too high.
Government already regulates dangerous physical systems like cars and medical devices. And nothing motivates the governments like fear.
COVID-19 pandemic being a case in point. We can’t afford to ignore these issues until it’s too late.
We also need to start disconnecting systems. If we cannot secure complex systems to the level required by their realworld
capabilities, then we must not build a world where everything is computerized and interconnected.
Most important, we can move toward less centralisation and more distributed systems, which is how the internet was first envisioned.
We have to fix this. Getting IoT security right depends on the two sides working together and, even more important, having people who are experts in each working on both.
It’s indeed a somber thought from Albert Einstein that: “It has become appallingly obvious that our technology has
exceeded our humanity” As always you all stay safe in both physical and cyber worlds. Be blessed this weekend.
- Ilaitia B. Tuisawau is a private cybersecurity consultant. The views expressed in this article are his and not necessarily shared by this newspaper. Mr Tuisawau can be contacted on ilaitia@cyberbati.com
