Schneier: Next President May Face IoT Cyberattack That Causes People to Die
Some people may think the upcoming US presidential election is a Kobayashi Maru, a lose-lose scenario no matter who wins, but which candidate would best deal with a cyberattack that caused people to die?
In an article about how hacking the Internet of Things will result in real world disasters, security guru Bruce Schneier—who is not known for spreading FUD (fear, uncertainty, doubt)—was not talking about hacks against banks or the smart grid that would cause general chaos; oh no, he was describing hacks against devices connected to the internet which would actually result in people dying.
Writing on Motherboard, Schneier suggested:
The next president will probably be forced to deal with a large-scale internet disaster that kills multiple people.
IoT and cyber-physical systems, according to Schneier, have “given the internet hands and feet: the ability to directly affect the physical world. What used to be attacks against data and information have become attacks against flesh, steel, and concrete.”
Indeed, there are plenty of scary possibilities which range from targeting one person to targeting hundreds of people at the same instant; hacking cars while they are driving down the highway; remotely assassinating a person by hacking their medical device, hacking a plane full of passengers, remotely taking control of weapon systems such as Patriot missile batteries, hacking a water treatment plant and tweaking the chemical mix; the nightmare scenario list of hacks that we all hope never happen goes on and on. Schneier said IoT will allow attacks we cannot even imagine yet.
He puts the increased risk into three groups, “software control of systems, interconnection between systems and automatic or autonomous systems.”
As for software control, IoT basically makes everything an internet-connected computer which means those things are vulnerable to attacks that would normally be launched against computers. Even today, you hear about hacks and breaches because some folks and organizations can’t even keep their systems patched. Other devices can’t be patched at all; while you might throw out a vulnerable router, Schneier said it’s doubtful you’d run out and buy a refrigerator because it had a vulnerability which could not be patched.
If IoT hasn’t even officially “exploded” into mainstream yet, it’s disheartening to consider how much will be vulnerable once that occurs. He cited a Princeton survey which found there are already 500,000 insecure devices on the internet.
When it comes to systems connected to other systems, if one is vulnerable and can be attacked, then the other interconnected systems can also be attacked. Schneier blew my mind with the math; he wrote:
Vulnerabilities on one system cascade into other systems, and the result is a vulnerability that no one saw coming and no one bears responsibility for fixing. The Internet of Things will make exploitable vulnerabilities much more common. It’s simple mathematics. If 100 systems are all interacting with each other, that’s about 5,000 interactions and 5,000 potential vulnerabilities resulting from those interactions. If 300 systems are all interacting with each other, that’s 45,000 interactions. 1,000 systems: 12.5 million interactions. Most of them will be benign or uninteresting, but some of them will be very damaging.
If an attack were on an autonomous system, with no human in the loop, then Schneier suggested the effects of an attack could be immediate, automatic and ubiquitous.
He recommended for governments to get more involved, but then again “many of us are phobic of any government-led solution to anything.” Sorry, but amen to that.
Yet if the next president has “to deal with a massive internet disaster which kills multiple people,” Schneier said he hopes the president will recognize “what the government can do that industry can’t” and then have “the political will to make it happen.”
Like many of you, I have a great deal of respect for Schneier; his internet-hacking-disaster scenario which would result in people dying is alarming on many levels, including the consideration of presidential candidates since neither seems particularly cybersecurity savvy; it all around seems like a Kobayashi Maru scenario.