This week, all eyes—Congress and the public, alike—are likely on the Democratic National Convention in Philadelphia. But they should be keeping a closer eye on the tech at home.
Though both major parties namecheck things like protecting “our industry, infrastructure, and government from cyberattacks,” and going “on offense to avoid the cyber-equivalent of Pearl Harbor,” there’s still no agreement as to how we’d do that. For many in Congress, that means protecting privacy while still allowing backdoors. But as that thought process barrells forward it’s going to have to reconcile with another unstoppable force: The Internet of Things.
Encryption has been a hot topic for years, but thanks to the Apple v. FBI battle earlier this year, it’s become more hot button than ever before. The sides—loosely sketched as they are—tend to devolve into two trains of thought: One side (the government, typically) wants to ensure that law enforcement officials and agencies would still have access to cell phones, computers, and otherwise encrypted gadgets in the case of an investigation. The other (frequently represented by Silicon Valley) posits that any door or key they leave available will be available to everyone, law enforcement and malicious hacker alike.
Truth is, both sides have good points. The difference is that most consumers are more sympathetic to the side with technological manufacturers and experts telling them that encryption is only as good as its weakest link. Because it is, frankly, but also because the cost of a hole in security is no longer something companies and consumers can afford to casually write off. Cyberattacks are up 125 percent in the last five years, the cost of a data breach can easily get up into the millions, and no one is safe, even from repeat attacks.
The problem is that the Internet of Things magnifies the problem. Not only are there more access points than ever before, but once one is accessed it’s all daisy-chained together; ease of use for both consumers and hackers alike.
Of course if your computer gets too infected by malware you can turn it off or cycle it out, in one way or another, like most consumers do (willingly or not) every couple of years. Same goes for a router, a cell phone, and so on. But as the Internet of Things takes over more and more of our home, the less likely we are to cycle out these things. As Motherboard writes:
Photo Credit: Yu. Samoilov ccThe Internet of Things is a result of everything turning into a computer. This gives us enormous power and flexibility, but it brings insecurities with it as well. As more things come under software control, they become vulnerable to all the attacks we’ve seen against computers. But because many of these things are both inexpensive and long-lasting, many of the patch and update systems that work with computers and smartphones won’t work. Right now, the only way to patch most home routers is to throw them away and buy new ones. And the security that comes from replacing your computer and phone every few years won’t work with your refrigerator and thermostat: on the average, you replace the former every 15 years, and the latter approximately never. A recent Princeton survey found 500,000 insecure devices on the internet. That number is about to explode.
As Motherboard goes on to point out, the math of how one hack could snowball out of control is simple: 100 systems interacting with each other makes for about 5,000 interactions and potential vulnerabilities. 300 systems means 45,000; 1,000 gets to about 12.5 million; and 500,000—well, that’s a disaster just waiting to happen. And between the refrigerators, toys, TVs, tea kettles, and cars that are dripping personal data the “smart option” is starting to look pretty half-baked.
Which is what makes talk of “encryption backdoors” (or any of its many pseudonyms and attempted dodges) so disturbing. As technology becomes increasingly integral, connected, and automated in our lives, true cybersecurity becomes increasingly important. Security engineers are working hard to get us there; almost any smartphone these days comes with some form of end-to-end encryption. But there are certainly steps the government can take that the industry can’t. It may be a top concern for 91 percent of manufacturers, but the economic incentives are often not enough for companies to act, let alone act quickly. Even if a company is throwing money at the problem, it doesn’t mean they’re actually making a difference.
“[Another] misconception about cybersecurity is ‘the more I spend the more secure I get,’ and that is not necessarily the case…Studies have shown that you can increase your budget by nine times with regard to information security and still not have complete security,” said Foley & Lardner partner Michael Overly on their blog Manufacturing Industry advisor. “The more thoughtful you are about how you approach information security, that’s really the key.”
Excuses that precautions aren’t necessary because it’s “just a toy” or “harming a sector’s economic viability” may have held some water at first, but at this point the Internet of Things’ vulnerabilities are leaking personal data all over the place, and potentially causing millions in damage—or even death.
If they can stop bickering about the merits of backdoors and gutting basic privacy protections, and start focusing on finding a true encrypted solution, the government could enact change to help guide manufacturers speeding towards a cybersecurity cliff with no hands on the wheel. After all, our refrigerators are no longer “just refrigerators,” and people can’t afford to think that way for much longer.
“I think our default posture has been, let’s not interfere in the free market of the software industry. The one thing you’re not liable for on the planet is software. There’s no software liability laws,” said Josh Corman, director of the Atlantic Council’s Cyber Statecraft Initiative, at a recent privacy forum. “I don’t know how a commercial airline works or what questions to ask before I get on one. I just know I can trust it…There are somethings in culture that are not optional.”
No comments:
Post a Comment