BY TOM WILLIAMS, EDITOR-IN-CHIEF
There is certainly no doubt that computer security has always been an important issue. The advent of the Internet and services like online shopping, banking, dating, illicit affairs and the like have only increased the urgency and complexity of security. Now, with the rise of the Internet of Things, there is quite possibly no device that does not require some level of security and the issue has taken on even greater and unprecedented importance along with mind-boggling complexity. In fact, it has quite possibly become a problem for which there really is no complete solution—and not for lack of effort or hype.
One basic fact is that the Internet of Things does not mean that everything is connected to everything else. There may be some things to which everything can connect, but mostly the IoT consists of realms of exclusivity, domains that find their global connectivity via the Cloud or through smaller domain networks that ultimately connect to the Cloud. Growing numbers of devices, “things,” are vital to life, safety, the economy and national security and they are currently vulnerable to attack at some level. And the IoT is connected to the rest of the Internet, which means huge amounts of data that must also be secured while being made available to authorized users. One of the more unsettling facts is that we do not really know how secure or vulnerable many of these systems such as the national power grid really are.
We do know that major nations maintain cyber warfare groups and have acted in at least some cases, but so far there has been no all-out attack. One must ask one’s self if this is due to robust defensive security or other reasons. We have a reason to fear, for example that the Chinese could bring down our power grid. On the other hand, the Chinese must be aware that we could bring down theirs. Is the lack of action due to some fear analogous to the “mutual assured destruction” that helped prevent nuclear attacks during the Cold War? We can only guess.
There have of course been notorious instances of breached security that must give us all pause. The break-ins at Sony, Target and the theft of millions of Social Security numbers; the Australian water system and more recently the remote hacking of a running Jeep Cherokee that was able to access the accelerator. These are just a few that we know about and we can be certain there are others, quite probably more unsettling, that are being kept very quiet.
At the same time, the industry is awash in public relations blitzes, product introductions and endless PowerPoint presentations claiming to have solutions for security in all manner of systems and devices. Most of these approaches deal with limited aspects of the overall security challenge such as secure routers, data encryption, user authentication, kernel separation—the list goes on. In many of the well-known security breach stories, the fault has appeared to lie in some neglected detail that was discovered and exploited by hackers. This is, of course, a result of the ever growing complexity of embedded, IT and networked systems, many of which host multiple users with different applications and different connection requirements.
In Franz Kafka’s short story, “The Burrow,” the main character (some sort of burrowing animal) has dug a den with deep refuges, hidden entrances and a fortified center in order to protect itself and its possessions from real and imagined enemies. Even the secret escape route is a danger if an enemy accidentally discovers it and turns it into an entrance. The character doesn’t rest and is constantly thinking of possible dangers, of enemies and assaults on its burrow. Then there is the slight scraping or hissing, a constant, steady and never ceasing sound that spells danger. But through all the character’s efforts and paranoid speculation, nothing it can do will make that sound go away. At the end, the final words are, “But nothing had changed.”
This is analogous to the confidence we can have in today’s secure system. We can take all the measures we find available but we can never rest in confidence that they are sufficient. We can try to make access more difficult than the motivation of anticipated hackers but how difficult must that be? We can never be certain. And yet we must try. But today we must face the fact that comprehensive security is broken, an illusion made up of disparate parts with varying degrees of compatibility, methods of implementation and effectiveness. Some of it does work . . . to an extent and that extent is really not well known. Some sort of unified effort is needed, or some kind of concept that stretches from Cloud to embedded sensor/actuator. It is too big a challenge for individual companies; it must be approached as an industry, maybe a society.
And if and when we do make sufficient progress for some overall level of confidence—not complete, but perhaps measureable—there is one more question no one seems to want to discuss: How do we retrofit all the existing systems and those that will be deployed in the meantime with some confident measure of security? Yes, we must try and we will make progress. But like that burrowing animal, we will never truly be able to rest without that slight hissing noise in the background.