One IoT breach can cause ‘unprecedented’ damage, warns expert

World
Europe

The world we presently live in seems bizarrely futuristic.

Light-bulbs controlled by mobile devices to change the color of lighting, slow cookers remotely operated by Wi-Fi signals, and smoke detectors that can differentiate between a burning slice of toast and an emergency and accordingly alert the occupants of a house on their phones are no longer a work of fiction: Smart and connected devices have crossed the barrier of imagination to reality, ushering an era of disruptive technologies with a potentially seismic impact on the world. The Fourth Industrial Revolution, characterized by the marriage between physical and digital systems, is gradually unfolding before our eyes as developers ride the innovation wave towards a tomorrow that looks nothing like today.

This week, global leaders, economics elite, tech experts, CEOs, celebrities and academics are congregating in the Swiss town of Davos for the 47th edition of the World Economic Forum (WEF), and the high-profile meeting is shaping up to be a technology event with discussions about Artificial Intelligence, robotics, and the Internet of Things.

The Internet of Things (IoT) is one of the major driving forces of this revolution, and a sweeping term dominating water cooler conversations all the way to international gatherings as our modern and technologic needs lead to a growing volume of inter-connected devices at hand. UK-based Machina Research predicts that the number of IoT connections will grow from 6 billion in 2015 to 27 billion in 2025. This development has added a new layer of complexity to an already fragile situation of cyber-security. Crucial and private data are now available online, and within arm’s length from hacking – and breaches have not been rare.

CGTN Digital spoke with Feng Cheng, research associate at the Institute for Security Science and Technology at the Imperial College London, about what is at stake and how policymakers and experts should tackle the imminent threats of IoT.

Below are edited excerpts from the interview:‍

IoT is a buzzword that people are hearing more and more about and a growing topic of conversation to, yet few really grasp the meaning of it. Can you please simplify the concept?

The Internet of things is the concept of basically connecting any physical objects (embedded with electronics) with the Internet and allowing them to collect and exchange data. This includes everyday objects from coffee makers, washing machines, air conditioners, cars, wearable devices and almost anything else anyone can think of. It also applies to many larger scale systems such as public transportation systems, industrial control systems, and even critical infrastructures like power grids or gas pipelines among others.

Why should common people be interested in IoT?

The aim of IoT is to achieve smarter way of resource allocation and utilization through more efficient data collection, sharing and processing. In the past, most data came from human input, however they are very limited. In the future, most data will be produced by physical devices. By utilizing the massive data produced by both humans and physical devices, we can apply Artificial Intelligence techniques to provide a variety of smart services that benefit every individual. For example, by connecting cars with the Internet, we can effectively avoid traffic jams by automatically providing globally optimized routes to each driver in real-time.

An employee demonstrates the memo writing facility on a Samsung Electronics Co. Family Hub fridge freezer inside the Smart Home section at a John Lewis Plc department store in London, U.K., on Friday, April 8, 2016. The increasing integration of connected devices into our lives, what is commonly referred to as the Internet of things or IoT, promises enormous benefits for consumers and businesses. /CFP Photo

IoT connections have brought ease and convenience to the world, but they also gave rise to concerns over security risks and privacy breaches. Should people be worried?

Safeguarding cyber-security and preventing privacy breaches in IoT ecosystems are more crucial than ever. Unlike in PCs or mobile phones, a security breach in one IoT device can cause unprecedented damage to our daily life, involving massive breakdowns of public infrastructures or leading to problems affecting the quality of life. For privacy breaches, imagine that someone is able to hack into your fridge then thereby get access to your entire home network. As a result, all information about your daily life will be leaked.

What challenges arise from the increase reliance on IoT systems?

Security is a key issue. The reality of the cyber threats has been highlighted in national news coverage, from cyber-security vulnerabilities being exploited to compromise vehicles’ safety, to denial of service attacks (cyber-attacks leading to the interruption of accessibility of a network or machine by an authorized user) launched from consumer devices. Even worse, we cannot rely on traditional protection mechanisms like firewalls and anti-virus software on PCs and mobile phones since these traditional defenses are often not possible on IoT devices due to their relatively low CPU and memory profiles. Moreover, with more and more data being produced, more advanced data processing techniques are urgently needed to satisfy the quality of service of IoT applications. The challenge to support IoT devices under conditions of good functioning is also big. As individual devices become more connected and interactive, events that may have once had isolated consequences can now generate cascades of consequences, and the consequences can potentially spin out of control and badly affect the overall system performance.

The Digitsole smartshoe is displayed at the 2016 Consumer Electronics Show (CES) in Las Vegas, Nevada, US, on Monday, January 4, 2016. /CFP Photo

What trends could we expect in terms of cyber-attacks in the future?

With more and more devices from our cars to national critical infrastructures becoming connected to the Internet, cyber-attacks will become more than ever dangerous. More than just money is at risk – cyber-attacks will terrorize, meaning they can cause life threats. Furthermore, cyber threats will also become more sophisticated, with organized hacker groups and even nation states driving cyber-attacks on businesses.

Can we still talk about “stopping cyber-attacks” or is “managing cyber-attacks” a more realistic approach to the issue?

The attempt to stop or prevent and detect cyber-attacks alone is insufficient since cyber threats are developing at the same fast pace as new technologies are. More importantly, managing cyber-attacks or building resilience of systems from cyber-attacks is becoming necessary. This means we need to enable systems to respond to, mitigate and move on from cyber-attacks as quickly and completely as possible.

How can we improve the resilience of infrastructure?

The resilience of infrastructure is largely related to the robustness, the capacity, and rapidity of system restoration. In order to improve resilience, the key point is risk management. During the design phase, comprehensive modeling and simulation experiments should be done against potential risks to the infrastructure. Nowadays, with more and more critical infrastructure becoming networked, cyber-attacks as potential risks should be highlighted.

A visitor tries an IoT device at the 2015 Internet of Things Solutions World Congress (IOTSWC) in Barcelona on September 16, 2015. /CFP Photo

What should policymakers take into consideration as they attempt to safeguard cyber-security?

There are several key components that need to be considered by policymakers to effectively safeguard cyber-security. First, the policy should have clear security objectives and standards. For example, what assets need to be protected? What criteria would we use to release information to someone within or outside the organization? Secondly, any policy should enable information sharing in a proper way instead of obstructing or discouraging it. Furthermore, personal privacy protection should also be appropriately addressed in the cyber-security policy.

What obstacles does global cooperation on cyber-security face?

Cooperation on cyber-security has been a topic in many national leaders’ meetings over the last few years including the recent G20 in the Chinese city of Hangzhou. However, cyber-security agreements between countries can hardly be implemented since they may involve sensitive national security issues and lack real supervision on the implantation. Moreover, many countries are likely to ignore any global initiatives to introduce cyber norms, especially given that they lack a seat at the decision-making table.

China has recently adopted a cyber-security law with the aim of protecting sovereignty on cyberspace, national security and the rights of citizens. Other countries, such as the US, have been facing a tug of data war between a nation’s security and personal privacy protection. How do you think China could manage striking a balance?

There are natural conflicts between national security and personal privacy protection. The best way to resolve them is with more transparency about cyber-security policies and more collaboration between public and private sectors. For example, specific legislation should be taken to regulate data collection, monitoring and censorship by both public and private sectors to fight against the misuse of powers that endanger personal privacy. Moreover, many conflicts can also be avoided if the public and private sectors work together to make sure that security and privacy considerations are adequately addressed in the development of digital hardware, software applications, corporate policies and government regulations.

(Wang Xuejing contributed to the article, video editing by Ran Boqiang and Qi Jianqiang)