Last week we discussed the notion of a cybersecurity “dumpster fire.” It’s about the idea of a cybersecurity event that causes additional damage once it occurs due to the environment where it happens. In other words, the effects of the cybersecurity event are multiplied.
Cybersecurity events like this are a genuine possibility (as experience has shown), so let's think about the idea of a cybersecurity event that reaches a level of critical mass, where the damage becomes essentially uncontrollable, much like a runaway thermonuclear reaction.
Okay, I am not trying to be overly dramatic, but let's consider if something like this is possible. I can posit at least one scenario where this could potentially happen. Let’s consider the massive proliferation of IoT devices in use today and, of course, the massive number of IoT devices in the future.
Everything capable of communicating on a network is now becoming part of the networked world. Anything currently not networked is on its way to becoming networked — thermostats, cars, appliances, aquariums, toys, and so on. There are many more.
We should be concerned that IoT devices are introduced to the Internet without effort in designing or managing security. Some items have better protection than others, but many are terrible. Low-cost and high-volume items, such as children’s toys, have not had much thought put into security. Many of these devices do not possess the ability to update the firmware. Manufacture and forget. These devices are used until something new comes along and then discarded.
Part of the problem is that being discarded doesn’t mean being turned off. If a device requires an update, you are out of luck. These items do not exist in static environments. They are not designed to be tracked and inventoried. We are not even close to the level of tracking we see (or at least should see) with enterprise systems or even portable computing devices, such as laptop computers.
If we live in a world where IoT devices continue to increase at the levels we are now seeing, it stands to reason that a cyber attack that can grow on its own, such as a worm, could grow out of control quickly. We have seen inklings of these in the past when a particularly potent malware escapes its developers and infects millions of computers.
The problem with IoT is that we may not know what devices are affected because many different devices can share identical firmware, nor do we know where the devices are located. In a bad scenario, there would be no way to stop this from spiraling out of control. It would essentially end up being a “critical mass” type reaction.
So one thing is abundantly clear. We must find ways to identify cybersecurity attacks that can spread in this manner and identify devices and device manufacturers that can and should be held accountable for creating such devices. The intention is not to necessarily penalize organizations for not addressing these issues but rather to devise ways of managing the manufacturing and distribution of such devices to avoid leading to a catastrophic cybersecurity event.