Internet of Things: when objects threaten national security

Poorly secured IoT devices could lead to attacks on national security. flickr/electroluxdesignlab, CC BY-NC

We all know personal devices can be hacked, but a whole country’s security could be at risk too. With the rise of the so-called Internet of Things (IoT), and against the backdrop of cyberwarfare, digital surveillance and digital subversion, the risk to national security is increasing. Earlier this year the head of the UK National Cyber Security Centre publicly stated that a major cyber-attack on the country’s essential services was a question of “when, not if”.

The IoT comprises of the billions of online objects embedded in our homes, workplaces and cities, that are constantly collecting, analysing and transmitting data. Some IoT devices, such as personal fitness trackers or smartphones, are carried with us wherever we go. Others we interact with remotely, such as domestic heating controls. Many are invisible, operating silently to modulate traffic flows, industrial control systems, and much more.

IoT devices are not so much things with computers in them, but computers with things attached to them. Because no computer is perfectly secure, that means that neither is your smart fridge or your virtual assistant. Like all things online, these objects form part of massively distributed networks. If someone wanted to hack into these global information networks, IoT devices provide billions of extra entry points.

It is relatively easy to hack an IoT device, as many cheap products do not have adequate security. Even devices with advanced security, such as driverless cars, are vulnerable. This means that IoT technologies are widely regarded as a major cyber-security problem. Pacemakers being hacked, air traffic control systems going down, and all out “cyber-war” are just some worst case scenarios. Vulnerabilities, if exploited, could lead to damage, injury and death.

Even air traffic control could be targeted by a cyber-attack on the IoT. US Navy

Cyber-attacks on critical national infrastructure are already a very real threat. In 2015, the Ukranian power grid was affected by a cyber-attack that left Kiev without electricity for several hours. More recently in 2017, the UK’s NHS was compromised for weeks due to the malicious software (malware) WannaCry.

These incidents show just how disruptive cyber-attacks can be and the fact that IoT attacks are proliferating and diversifying is a cause to worry. One major internet security company reported that IoT attacks increased 600% in 2016-17. This is an exponential rise and is expected to persist, not least as the number of IoT devices increase. Devices already outnumbered humans in 2017 but may top 20 billion by 2020.

The rise of the botnet

A botnet is a network of internet connected devices that have been hacked, hijacked and controlled remotely. The problem is that poorly secured IoT accounts make perfect targets for hackers attempting to develop and weaponise botnets. With the right malware, hackers can use botnets to perform distributed denial-of-service (DDoS) attacks against specific targets. The malware uses thousands of devices to flood internet servers with traffic and disable access to online resources. Billions of IoT devices make it easier for hackers to take control of large botnets and attack even the most robust targets.

The Mirai malware exploited vulnerabilities in IoT devices, such as CCTV cameras and routers, to do just this. In October 2016, Mirai launched a DDoS against Dyn, Inc, the company that provides access to major platforms like Twitter, Amazon and Netflix. The DDoS prevented consumers from accessing these platforms for several hours. Of course, it is difficult to calculate the financial implications of such incidents but Mirai showed how essential services can be attacked by exploiting IoT devices.

The Mirai DDos attack.

States or non-state actors could try and use an IoT botnet to attack a country’s health, energy, transport or finance sector. If a botnet were directed against critical national infrastructure, the effects could be severe. Speculation in the absence of evidence is rarely wise but it is not hard to imagine what might happen if financial services were taken offline, or rail transport networks sabotaged. No cyber-attack has yet collapsed the global financial system, or killed anyone, thankfully, but these are the fears of policymakers and cyber-security professionals.

Attribution is not easy either but it’s getting better. Were a state or terrorist group identified as the perpetrator of a major attack, national security apparatuses should swing into action to counter them. For NATO members, a cyber-attack might even trigger a collective political and military response.

How are governments responding?

So far both the US and the UK have stopped short of introducing regulation, but instead are putting pressure on businesses to make their products more secure. However, these policies do not address the overarching problem: companies will keep on selling products with poor security because consumers are willing to buy them. It is supply and demand. There are presently few incentives for firms to bring IoT products to market that meet high security standards. In global supply chains, the picture is even more complicated because national initiatives cannot resolve transnational problems.

The market will not solve this problem, so more robust government regulation is all but inevitable. Few bureaucracies relish the challenge. In policy terms, this is a “wicked problem”. Even if a solution was obvious, it would likely be impossible due to key players’ competing motives and the dynamism of the technical environment.

A more radical approach is to address why the IoT exists in the first place. It is the product of both laudable aims (energy efficiency, public welfare) and an obsession with connectivity for connectivity’s sake. As is well-established, complex systems generate unpredictable effects. If we are to minimise the risks of wiring up our world, we need to consider prioritising devices that are truly necessary over ones that are simply desirable. This will require a fundamental shift in mindset, putting the public good before profit and political expediency.