Remember when our online problems stayed there, reliably separate from our ‘real lives?’ Turns out, those were the good old days. Now we increasingly inhabit a world in which the distinction between online and offline has disappeared. More to the point, now online dangers portend physical, real-world damages.
Consider: In 2015, two security researchers remotely took control of a Jeep Cherokee from ten miles away. “A video shows the driver’s terrified expression as he’s driving on a highway, powerless while the hackers turn on the air-conditioning, change the radio station, turn on the wipers, and eventually kill the engine.” Because this was a demonstration rather than a murder attempt, the researchers did not take control of the brakes or the steering — but they could have. And no, this isn’t a one-off trick. Hackers have demonstrated similar vulnerabilities in a variety of different automobile models. Scarier still: last year the US Department of Homeland Security demonstrated a remote hack of a Boeing 757!
Or consider: In 2016, hackers — presumably Russian — shut down the Pivnichna high-voltage power substation near Kiev in Ukraine with a cyberweapon named CrashOverride. The weapon had the capability to cause much more harm than it did — by repeatedly cycling the power on and off, for example, it could have put the substation out of commission for days or weeks. Instead, the weapon’s deployment was largely a test of capability. U.S. intelligence is also aware that “Russian hackers [have] penetrated more than 20 US power stations, often accessing critical systems but without causing damage; these were also tests of capability.”
Finally, consider: Over one weekend last year, someone hacked 150,00 printers around the world. Though the scale was impressive, this was pretty much garden-variety cyber vandalism. Except that we’re beginning to see more and more bio-printers. Before long, they’ll be common in hospitals, pharmacies, and doctors’ offices. Soon a hacker could force a bio-printer to print lots of a killer virus, or force many printers to print smaller batches. “If the virus could spread widely enough, infect enough people, and be persistent enough, we might have a worldwide pandemic on our hands.”
Bruce Schneier, author of Click Here to Kill Everybody: Security and Survival in a Hyper-connected World, explains why such scenarios are multiplying:
It used to be that things had computers in them. Now they are computers with things attached to them. And as computers continue to get smaller and cheaper, they’re being embedded into more things, and more things are turning into computers. You might not notice it, and you certainly don’t shop for cars and refrigerators as computers; you buy them for their transportation and cooling functions. But they’re computers, and that matters when it comes to security . . . The name given to this ubiquitous connectivity is the “Internet of Things” (IoT).
And there you have the premise of Schneier’s book: The accelerating growth of the Internet of Things means the risk and scale of both accidental and intentional (terrorist) destruction continues to compound. Unfortunately, so far, policy makers are far from catching up. As former FCC chairman Tom Wheeler noted at a 2017 Internet security conference, ““we’re facing 21st-century issues, discussing them in 20th-century terms, and proposing 19th-century solutions.”
Given that, Schneier sets himself three tasks:
- First, to act as a ‘voice in the wilderness,’ making sure we recognize the severity of the threats we’re about to face.
- Second, to convince us that these security threats cannot really be countered by the private sector, they can only effectively be dealt with by government.
- Third, since Schneier is a realist, and believes it will take a 9-11-type security event to prod (the U.S.) government into action, he also offers guidance for what we can do in the interim to lessen our risks.
Of those three, of course, it’s the first that really gets our attention. Schneier is at his best elucidating the many risks posed by our deeply networked world:
[But we’re also] worried about GPS being hacked to misdirect global shipping and about counts from electronic voting booths being manipulated to throw elections. With smart homes, attacks can mean property damage. With banks, they can mean economic chaos. With power plants, they can mean blackouts. With waste treatment plants, they can mean toxic spills. With cars, planes, and medical devices, they can mean death. With terrorists and nation-states, the security of entire economies and nations could be at stake.
Later in the book, Schneier concludes:
The admittedly clickbait title of this book refers to the still-science-fictional scenario of a world so interconnected, with computers and networks so deeply embedded in our most important technical infrastructures, that someone could potentially destroy civilization with a few mouse clicks. We’re nowhere near that future, and I’m not convinced we’ll ever get there. But the risks are becoming increasingly catastrophic. . . . [In fact, IoT] security looks pretty bleak. The threats are increasing, the attackers are more brazen, and the defenses are increasingly inadequate.
Despite all that, Schneier does have hope. In particular, he sees the European Union’s General Data Protection Regulation as “a sea change in privacy law.” It’s a reasonable blueprint, he believes, for what the EU might eventually do with respect to internet security and safety.
More surprising, maybe, is another Schneier conclusion: that “surveillance capitalism is not sustainable.” He notes that we’re starting to chafe under the unremitting extraction of data about both our public and private lives, and concludes: “Surveillance capitalism is pervasively damaging to society; sooner or later, society will demand reform.”
About which we can say, at least, these two things: First, Facebook and Google, Schneier is talking about you. And second, let’s hope he’s right.