We are halfway through 2020, and for all the decades-long discussions around IoT, very few countries have addressed the national security issues raised by vulnerable IoTs.
It wasn’t until 4 years ago that the subject even entered the public spotlight, when the United States Department of Homeland Security issued a set of strategic principles for securing the Internet of Things.
Then, very timidly, the United Kingdom, through its National Cyber Security Centre, also affirmed the belief that nation-wide attacks are a matter of “when, not if.”
But just like we ignored Bill Gates talking about our failure to prepare for a modern-day pandemic for five years — a matching response from the international community has been long in coming.
The situation is worrying. The US has its attention turned to social issues and upcoming elections. The UK is waiting to follow someone else’s lead. The rest of Europe seems unprepared at best, and oblivious at worst.
Their good practices and baseline security recommendations seem fitted for a gentle opponent. The old-school kind of gentleman challenger that will telegraph a formal intention to duel.
But real threat actors are more like silent aggressors. They know very well what they’re doing and have read the playbook several times before making a single move.
The Impact of IoT on National Security
When we talk of national security, it’s easy to think about disrupting the public sector – healthcare, energy, or strategic resources. And certainly, it’s easy to understand how industrial IoT needs careful consideration due to its direct impact on these verticals.
But I would argue that consumer-grade IoT, the kind which people buy with little to no consideration to security, is a ticking time bomb.
What’s worse – now that the cat is out of the bag, imposing any kind of regulation on personal devices could be seen as a government violation of privacy and freedom of choice.
This is a typical “wicked problem” – a special class of problems difficult or impossible to solve due to as many as 4 reasons:
- Incomplete or contradictory knowledge: Which, and how many consumer devices are vulnerable, to what exploits, and what is the potential disruption impact?
- A large number of people and opinions involved: IoT household penetration hit 69% last year as shown in a recent study by the Consumer Technology Association (CTA); the average number of devices per household varies wildly by source, but none quote anything under 25
- A huge economic burden: Who would support the cost of replacing all critically vulnerable devices? And how many breaches can private companies or the public sector withstand before losses surpass the cost of replacement?
- And the interconnected, complex nature of these problems that will give birth to subsequent, unpredictable problems
Governments can either incentivize or else coerce the economic sector into upgrading its infrastructure to a more secure alternative (I feel like a special mention of the ongoing 5G infrastructure war between Nokia and Ericsson vs. Huawei is obligatory at this point). But it cannot do the same with the general public.
So with over 14 billion devices already connected to the Internet last year, how do you protect your citizens against a well-coordinated, state-sponsored attack?
At the time it was discovered, Stuxnet had all the characteristics to become a sensational story. It evoked Bond-like scenarios in the public’s imagination, as confirmation of spying operations (and a potential international scandal) made headlines in 2010.
For a public fed on spy movies, an undercover operation like Stuxnet was an easy sell.
To be frank, Stuxnet was not your run-of-the-mill IoT attack. The industrial programmable logic controllers (PLCs) targeted by Stuxnet weren’t typical IoT devices as we understand them today.
But as smart controllers, they illustrate the hidden dangers in — let’s call them “devices that connect to other devices.”
From one hop to another, the Stuxnet worm made its way from USB sticks to Windows computers and eventually reached its target – the Siemens software-controlled PLCs inside Iranian uranium enrichment facilities in Natanz.
Not as much effort is put into malware that targets consumer IoT (largely because it doesn’t even need to), but this modus operandi shows what truly advanced malware is capable of.
Not only that, but Stuxnet wreaked physical destruction on computer-controlled hardware equipment rather than hijacking computers or stealing data as it usually happens in the digital realm. It’s also notable that the virus had been released 2 years prior to the date it was exposed.
If anything like it is still out there, we might not know about it until it hits hard. And it’s hard to imagine that after a successful operation like that nobody else would try to replicate the results.
Stuxnet was the first digital weapon to show how in case of conflicting national interests the IoT would be a potent alternative weapon. And one that is hard to protect against.
Mirai – the Botnet That Changed IoT Security
It is perhaps unfortunate that the 2016 Mirai botnet has been replaced on Google Search (and popular culture) by the eponymous 2018 Japanese movie.
Although the botnet borrowed the name from an anime series, the reclaim is unfortunate because we still need to remember the events in the fall of 2016. For those who need a refresher, here’s how Mirai put IoT security in the headlines 4 years ago.
On October 12, 2016, a massive DDoS attack left huge chunks of the Internet inaccessible on the US East Coast. Authorities initially feared the attack was the doing of a hostile nation-state.
But in fact, it was the result of a botnet army directed at Internet Service Provider Dyn. A month earlier, Mirai had sent the world (and the cybersecurity community especially) a message by taking down infosec legend Brian Krebs’ web site.
But Mirai ultimately left a mark because it took down services people cared about – Twitter, Netflix, CNN, and even Amazon. Had it not been as effective as it was, it might have gone unnoticed like many others before.
However, that sudden aggression against popular US companies, and the emotional disruption it brought upon millions of Internet users, catapulted Mirai straight into nefarious stardom.
Since then, no other botnet has been as efficient or as disruptive. One thing, in particular, stands out as being just as true today as it was 4 years ago: most of the devices hacked by the Mirai botnet never went offline.
The Leap From Digital to Physical
The appeal of these new digital weapons is that although they can wreak havoc in the real world, tracing them to the source takes time. Plus, the public is rather skeptical of the findings.
Few are sufficiently knowledgeable to understand how it is possible for a foreign power to operate from a distance with such efficiency. It’s then easy to dismiss this kind of aggression as false flag attacks and outright deny involvement.
Nobody knows this better than Ukraine. In the past years, the East-European country has become a hotbed for testing new cyber warfare. Kenneth Geers, NATO Cyber Centre Ambassador, said â€œYou canâ€™t really find a space in Ukraine where there hasnâ€™t been an attack.â€�
Then-president Petro Poroshenko claimed â€œdirect or indirect involvement of secret services of Russia, which have unleashed a cyberwar against our country.â€�
But no one was able to point the finger at Kremlin. Was Ukraine, long at odds with Russia, a trustworthy source?
Since at least 2014, Ukraine has been a live-fire space for Russian hackers. Ukrainian citizens experience regular blackouts. Media servers go offline and lose data without explanation. Railway schedules are disrupted, and many others keep their breaches secret.
How much of it is IoT hacking? We won’t know for sure for a while longer, but we can already see reports of new IoT attacks.
One such report came last year from Microsoft, who uncovered state-sponsored hackers targeting VoIP phones, printers, and video decoders to gain access to enterprise infrastructure.
Soon we’ll start seeing more reports of consumer-grade IoTs used to penetrate business networks. Since many more people now use work devices on their home network and vice versa, it’s a matter of “when, not if”.
Banning Apps vs. Banning IoTs
If it was still necessary at this point, India and China showed us last month how geopolitics shape digital strategy.
After a bloody border clash that ended in casualties, the Indian government deemed many popular Chinese apps “a threat to sovereignty and integrity”. The outrage of banning popular free apps, including TikTok, manifested itself almost immediately. Indian users responded to the TikTok ban by… using TikTok!
But can you imagine the response if Huawei, Xiaomi, Redmi, or OneNote devices were suddenly rendered obsolete?
And a big part of the issue is that the dynamic is not reciprocal. The Chinese government has been careful regarding what kind of devices foreign businesses are allowed to sell to Chinese nationals.
It is more than just “weird” that China does not allow American Internet companies to operate domestically. It is so by design. In order to prevent espionage, data exfiltration, or unapproved ideological imports, the CCP has succeeded in isolating its population against foreign influence.
The Current IoT Security Guidelines – and How They Need to Change
Perhaps the leading document that Western society has regarding IoT security is the DHS’s Strategic Principles for Securing The Internet of Things. In it, the DHS acknowledges that:
[..] there is a smallâ€”and rapidly closingâ€”window to ensure that IoT is adopted in a way that maximizes security and minimizes risk. If the country fails to do so, it will be coping with the consequences for generations.
A correct assessment if we ever saw one. The document goes on to highlight six guiding principles for IoT developers, manufacturers, service providers, and industrial consumers:
- Incorporate security at the design phase.
- Promote security updates and vulnerability management.
- Build on recognized security practices.
- Prioritize security measures according to potential impact.
- Promote transparency across IoT.
- Connect carefully and deliberately.
Although not addressed directly, the case for consumer IoT security is included as well.
The thinking goes:
(1) if IoT developers and manufacturers succeed in bringing secure, home-grown alternatives to the market then
(2) service providers can collaborate with said manufacturers to help replace existing devices and offer an additional layer of security for the IoT.
But this strategy is heavily reliant on quick displacement and non-combat. It assumes that US products will be sufficiently attractive against their imported counterparts that vulnerable devices will simply go away.
If that doesn’t happen fast, and the West continues to import technology, the onus will be on service providers to figure out how to protect their users. And while they’re at it – national security as well.
IoT Connectivity Redefined
Many CSPs are not prepared to do that right now. Short of isolating an entire country from the rest of the Internet, their hands are pretty tied right now. But nobody wants a local intranet instead of the real deal.
If the new telecommunications architecture for 5G falls short on security, then it truly is game over for many countries. It is of little surprise that China’s Belt and Road initiative includes building telecom networks in poor or developing countries.
From this perspective, the rush to 5G is a trap that the US and its allies are wisely avoiding. Yes, it’s true that other countries might have the first-mover advantage. But compare that to the certainty that an over-reliance on external benevolence and non-intrusion will not end well.
The question still remains – when will IoT become a national security issue for most countries? Is there an event so powerful that will determine action from a dormant Europe?
Will the US lead the initiative to implement actual change? And what will be the effect of Belt and Road-funded telecom networks in Africa over the next decade?
Whatever the future holds in store for us, we’re in for a lot of surprises.