By Frank J. Cilluffo and Sharon L. Cardash.
By 2020, billions of devices will be connected online. The possibilities within this Internet of Everything are innovative, extensive, and valuable. Think driverless cars, “smart” houses and cities, and critical healthcare delivered virtually to remote locations. But these developments also have a dark side. With opportunity comes challenge, in the form of vulnerability.
The smarter the device, the more likely an adversary can do harm—to it, to the owner, and to third parties. The very connectivity that enables advances in so many domains and ways in turn provides an access point for attack and exploitation. This built-in weakness, which exponentially expands the surface for potential attack, is particularly problematic when it comes to critical infrastructure sectors like national defense, energy (electric, oil & gas), water, banking, and so on. Left under-protected and exposed to physical or cyberattack, these vital areas and services could be undermined and/or halted. The longer the disruption, the greater the potential for people to lose trust and confidence in the system as a whole. Recall the widespread concern generated by the shutdown of the New York Stock Exchange in July of this year. The apparent culprit there was just a technical “glitch.” Imagine the damage and mayhem that an actor with malicious intent could cause.
How should we deal with the countless security vulnerabilities introduced by our unprecedented level of connectivity? One crucial way is to build security proactively into our devices and architectures, rather than trying to retrofit it after a breach or incident. At the same time, we need to change our culture and mindset as a nation. In part, this means educating and training the upcoming and existing workforce to appreciate the importance of security concerns in this context; and acting in a manner that reinforces our protective posture instead of undercutting it. Keep in mind that that posture is only as strong as the weakest link in the chain, so vendors, suppliers, contractors, and other third parties must all hew to the standard.
No system will be foolproof though, so resilience is an equally crucial aspect of the equation. The ability to bounce back and to do so quickly is perhaps the greatest deterrent to those who may wish to do us harm. Consider, for example, a scenario where the adversary combines physical and cyberattacks, using both means to target the electric grid and disable emergency response. Sound far-fetched? In fact, a variant of this has already happened: in 2013, a Pacific Gas & Electric Company substation in Silicon Valley was the subject of an armed attack in which phone cables were also cut. Farther afield, in Yemen, terrorists blacked out the entire country in June 2014.
The bottom line: networked critical infrastructure clearly presents a considerable security challenge. Yet, leadership and sustained effort within and between the public and private sectors could go a long way towards shoring up vital services and assets. With 80% of critical infrastructure privately owned and operated in the United States, collaboration between government and industry is crucial to protecting and preserving our national and economic security.
Sharing threat-related information in real-time (or close to it), assessing and prioritizing risks, and allocating scarce resources accordingly are just a few of the things that we can do—or at least, do better.
Our adversaries are networked and varied, including nation-states, terrorist groups, and organized criminals. To be effective, the response must be equally networked and nimble. Moreover, responsibility extends all the way down to the level of the individual. The Internet of Everything means each and every one of us needs to own our security.
Frank J. Cilluffo serves as Director and Sharon L. Cardash serves as Associate Director of the George Washington University Center for Cyber and Homeland Security (CCHS).