Internet of Things: when objects threaten national security
These incidents show just how disruptive cyber-attacks can be and the fact that IoT attacks are proliferating and diversifying is a cause to worry. One major internet security company reported that IoT attacks increased 600 percent in 2016-17. This is an exponential rise and is expected to persist, not least as the number of IoT devices increase. Devices already outnumbered humans in 2017 but may top 20 billion by 2020.
The rise of the botnet
A botnet is a network of internet connected devices that have been hacked, hijacked and controlled remotely. The problem is that poorly secured IoT accounts make perfect targets for hackers attempting to develop and weaponize botnets. With the right malware, hackers can use botnets to perform distributed denial-of-service (DDoS) attacks against specific targets. The malware uses thousands of devices to flood internet servers with traffic and disable access to online resources. Billions of IoT devices make it easier for hackers to take control of large botnets and attack even the most robust targets.
The Mirai malware exploited vulnerabilities in IoT devices, such as CCTV cameras and routers, to do just this. In October 2016, Mirai launched a DDoS against Dyn, Inc, the company that provides access to major platforms like Twitter, Amazon and Netflix. The DDoS prevented consumers from accessing these platforms for several hours. Of course, it is difficult to calculate the financial implications of such incidents but Mirai showed how essential services can be attacked by exploiting IoT devices.
States or non-state actors could try and use an IoT botnet to attack a country’s health, energy, transport or finance sector. If a botnet were directed against critical national infrastructure, the effects could be severe. Speculation in the absence of evidence is rarely wise but it is not hard to imagine what might happen if financial services were taken offline, or rail transport networks sabotaged. No cyber-attack has yet collapsed the global financial system, or killed anyone, thankfully, but these are the fears of policymakers and cyber-security professionals.
Attribution is not easy either but it’s getting better. Were a state or terrorist group identified as the perpetrator of a major attack, national security apparatuses should swing into action to counter them. For NATO members, a cyber-attack might even trigger a collective political and military response.
How are governments responding?
So far both the US and the UK have stopped short of introducing regulation, but instead are putting pressure on businesses to make their products more secure. However, these policies do not address the overarching problem: companies will keep on selling products with poor security because consumers are willing to buy them. It is supply and demand. There are presently few incentives for firms to bring IoT products to market that meet high security standards. In global supply chains, the picture is even more complicated because national initiatives cannot resolve transnational problems.
The market will not solve this problem, so more robust government regulation is all but inevitable. Few bureaucracies relish the challenge. In policy terms, this is a “wicked problem”. Even if a solution was obvious, it would likely be impossible due to key players’ competing motives and the dynamism of the technical environment.
A more radical approach is to address why the IoT exists in the first place. It is the product of both laudable aims (energy efficiency, public welfare) and an obsession with connectivity for connectivity’s sake. As is well-established, complex systems generate unpredictable effects. If we are to minimize the risks of wiring up our world, we need to consider prioritizing devices that are truly necessary over ones that are simply desirable. This will require a fundamental shift in mindset, putting the public good before profit and political expediency.
Tim Stevens is Lecturer in Global Security, King’s College London. This article is published courtesy of The Conversation.
