In February, I met with government and industry officials in Taiwan regarding regional cybersecurity strategies for the Internet of Everything (IoE). My travels were part of a five-week Eisenhower Fellowship. The trip was solely in a personal capacity and the views in this post are strictly personal.
Taiwan has been living at "ground zero" for several years when it comes to experiencing daily security challenges. The country's leaders are both aware of the risks posed by exposing an increasing number of important information systems to the internet and have been proactive in educating their government workforce about the threats since 2000.
While no system on the internet is 100 percent secure, Taiwan has made great strides to reduce the risks to government agency systems. This includes their sophisticated, automated Taipei traffic control system where you can use a free mobile app to view traffic cams anywhere, access GPS-based time tables for buses, see real-time parking space availability for garages, and follow the green lights in a parking garage to a free parking space.
It is only a matter of time before your IoE car reserves a parking space and drives you to it by itself.
Even given this progress, in my meetings with representatives from Taiwan, three concerns emerged regarding cybersecurity and the IoE:
- The Internet of Everything (IoE) will increase the risks of cybersecurity challenges to the average consumer. Whereas historically Taiwan's government and potentially a few very large companies were cybersecurity targets, increased commercial adoption of the IoE will make the risks of cybercrime, cyber extortion, and cyber intrusion very real to the average consumer. Consumer privacy also will need additional emphasis to protect, since IoE devices will generate large amounts of both intentional and unintentional personal data.
Taken together, these three concerns mean Taiwan, and other nations, might want to consider approaching cybersecurity differently -- focusing instead on cyber resiliency and an approach more akin to "cyber public health" aimed at preventive measures and rapid detection, containment, and mitigation of cyber threats akin to infectious disease control.
Given my own experiences with bioterrorism preparedness and response at the U.S. Centers for Disease Control (CDC) from 2000-2005, I find this model of "cyber public health" resonates as there is no way anyone can guarantee an infectious disease outbreak or bioterrorism event will not occur. Even if you do create preventive measures against known pathogens, there will always be new mutated strains that resist past treatments. In the public health world:
- We teach individual hygiene to communities to reduce the likelihood of a new outbreak emerging.
Such principles to conventional public health fit well what we also may need to do for the IoE. Rapid detection and response does reduce "dwell" time of an infectious disease outbreak in the same way that rapid detection and containment of a cyber-threat would reduce its dwell time and consequences.
In 2013, there were 7 billion network devices on the face of the planet, growing to 14 billion network devices by the end of 2015 (equal to almost twice the number of humans globally).
Given the IoE is estimated to grow to be anywhere between 50 to 200 billion network devices by 2020 -- perhaps a solution to address such exponential growth is to apply the same techniques and principles that allowed public health to conquer smallpox, polio, typhoid and other major infectious diseases in the 20th century to future 21th century "cyber infection" control?