Internet of Things: Hacker Eavesdropping SmorgasbordSheer Network Scale Offers Hope for Solving Related Challenges
Imagine the cybersecurity implications of a world in which hundreds of millions of people have a physical impairment that leaves them internet-connected.
Thanks to the "internet of things," that scenario is fast becoming reality in the form of internet-connected hearing aids. But like so many aspects of the internet of things, such devices carry upsides as well as big, potential data breach downsides, according to Phil Reitinger, the chief executive of the Global Cyber Alliance. He formerly was the Department of Homeland Security's top cybersecurity official as well as CISO for Sony.
"Don't admire the problem - try to find something to solve, and then solve it."
In an opening keynote presentation Aug. 2 at Information Security Media Group's Fraud & Breach Prevention Summit New York, Reitinger noted that unlike some internet of things devices - toasters come to mind - internet-connected hearing aids, which are still in their infancy, offer a lot of promise for improving users' quality of life. When a user is watching a television show, for example, their hearing aids could identify the audio and instead of amplifying it, begin downloading a live audio stream of the broadcast.
But what happens when internet-enabled hearing aids enter the workplace? As with smartphones, the devices would be a natural target for attackers, because they could be exploited and used to facilitate remote surveillance, allowing hackers to "hear" whatever the wearer hears. And that would create risks for any such device wearer who works for an organization with access to classified or sensitive information.
Without appropriate safeguards being put in place, Reitinger claimed we risk a future in which attackers could perpetrate targeted breaches with little risk of their attacks being spotted or traced.
In that sort of a future, "things like the DNC [Democratic National Committee] hack, those are small potatoes ... because a huge number of people are walking listening devices," Reitinger said. "Everything is connected, everything is tied together."
Security Essential: Think Big
Everything will only continue to become more connected, and more data generated; that's our inevitable internet of things future. But from a security standpoint, it's possible to avoid some doomsday-style scenarios, provided we make some related moves, chief among them building networks that are as big as possible, Reitinger said.
"Right now, I think the bad guys have almost all of the advantages," he said. "But ... it's much tougher on the good guys than the bad guys. The bad guys operate at scale much better than the good guys."
Defenders, however, can learn to operate at scale, too. "We have to have an ecosystem that takes advantage of the one thing that the good guys and girls have, and that's the size of the network," he said.
At first glance, network size might seem to be a disadvantage, because it makes systems more complex and thus more difficult to secure. But larger networks also give organizations the ability to create what many organizations and vendors have been pushing for in recent years - larger sensor platforms, in which each endpoint or node can be tied into a massive, distributed security monitoring system. Together with better analysis and automation tools, these sensor platforms could be built to better spot an emerging attack, "acting like a biodefense system" that shuts the attack down, Reitinger said.
Some attacks would still get through, but such a system would enable defenders to more quickly block them, and continue to block them.
Short Term: Getting Worse
Of course, this approach might take decades to put into place. "My opinion is that things are very bad right now ... [and] that things are going to get worse, for at least the next 10 years," Reitinger said.
Even so, it's important to start identifying solutions to small parts of the problem now, finding ways to solve them and then building on that success, he said. In a call to arms that applies not just to addressing the internet of things but any enterprise information security challenge, no matter how insurmountable it might seem, Reitinger proclaimed: "Don't admire the problem - try to find something to solve, and then solve it."