In February, I met with government and industry officials in Taiwan regarding regional cybersecurity strategies for the Internet of Everything (IoE). My travels were part of a five-week Eisenhower Fellowship. The trip was solely in a personal capacity and the views in this post are strictly personal.
Taiwan has been living at "ground zero" for several years when it comes to experiencing daily security challenges. The country's leaders are both aware of the risks posed by exposing an increasing number of important information systems to the internet and have been proactive in educating their government workforce about the threats since 2000.
While no system on the internet is 100 percent secure, Taiwan has made great strides to reduce the risks to government agency systems. This includes their sophisticated, automated Taipei traffic control system where you can use a free mobile app to view traffic cams anywhere, access GPS-based time tables for buses, see real-time parking space availability for garages, and follow the green lights in a parking garage to a free parking space.
It is only a matter of time before your IoE car reserves a parking space and drives you to it by itself.
Even given this progress, in my meetings with representatives from Taiwan, three concerns emerged regarding cybersecurity and the IoE:
- The Internet of Everything (IoE) will increase the risks of cybersecurity challenges to the average consumer. Whereas historically Taiwan's government and potentially a few very large companies were cybersecurity targets, increased commercial adoption of the IoE will make the risks of cybercrime, cyber extortion, and cyber intrusion very real to the average consumer. Consumer privacy also will need additional emphasis to protect, since IoE devices will generate large amounts of both intentional and unintentional personal data.
- Who will guard your grandmother's car or refrigerator from being hacked, or if it is hacked, who will detect this and then notify your grandmother? Current approaches to cybersecurity, i.e., relying on human experts to maintain "tougher digital locks" and "higher (fire)walls", will not be sustainable as the IoE's potential attack surface expands. While Taiwan's military will focus protecting on their systems and Taiwan's government their own non-military systems, it's not clear who will look after companies or individual consumers? A new model is needed that recognizes the exponential growth of the IoE and the challenges of multiple, proprietary interfaces for the IoE layered on top of TCP/IP.
- The IoE will make even more visible the flaws present in TCP/IP and the challenges of guaranteeing any IT system is 100 percent secure. As Taiwan's experiences underscore: while one can encourage good "cyber hygiene" practices and preventive measures to reduce risk and improve the overall security health of a system -- if a device or system is connected to the internet, it's at risk, especially from unscripted, 0-day exploits to which there may be no defense until after an attack.
Taken together, these three concerns mean Taiwan, and other nations, might want to consider approaching cybersecurity differently -- focusing instead on cyber resiliency and an approach more akin to "cyber public health" aimed at preventive measures and rapid detection, containment, and mitigation of cyber threats akin to infectious disease control.
Given my own experiences with bioterrorism preparedness and response at the U.S. Centers for Disease Control (CDC) from 2000-2005, I find this model of "cyber public health" resonates as there is no way anyone can guarantee an infectious disease outbreak or bioterrorism event will not occur. Even if you do create preventive measures against known pathogens, there will always be new mutated strains that resist past treatments. In the public health world:
- We teach individual hygiene to communities to reduce the likelihood of a new outbreak emerging.
- We establish good infectious disease detection procedures focused on signs, symptoms, and behaviors -- with an equal emphasis on protecting the privacy of individuals.
- We mobilize epidemiologists and public health professionals to characterize, contain, and remediate an infectious disease as quickly as possible, should one emerge.
Such principles to conventional public health fit well what we also may need to do for the IoE. Rapid detection and response does reduce "dwell" time of an infectious disease outbreak in the same way that rapid detection and containment of a cyber-threat would reduce its dwell time and consequences.
In 2013, there were 7 billion network devices on the face of the planet, growing to 14 billion network devices by the end of 2015 (equal to almost twice the number of humans globally).
Given the IoE is estimated to grow to be anywhere between 50 to 200 billion network devices by 2020 -- perhaps a solution to address such exponential growth is to apply the same techniques and principles that allowed public health to conquer smallpox, polio, typhoid and other major infectious diseases in the 20th century to future 21th century "cyber infection" control?