There is also intent. A vulnerability is only dangerous when an attacker actually decides to exploit it. The problem with intent is that it is definitely not obvious to measure, especially on new risks by new kinds of attackers. Here we can oppose two theses, between Bruce Schneier’s core theory from Click Here to Kill Everybody and James Andrew Lewis’ theory from his 2016 Managing Risk for the Internet of Things CSIS report.

Terrorists and Enemies

Lewis’ reasoning is that we have been promised major cyber disruptions on traditional internet for a long time and that we are still waiting to see one. His reasoning about terrorists is interesting, as he explains that terrorists tend to prefer tactics that include “direct action, bloodshed, and political drama.” I agree with him, but I still think that a terrorist group with the same financial means as the 9/11 commandos could very well use IoT today as an amplifier of their attacks, for instance by having a botnet contribute to the chaos by attacking key services.

The main difference between Lewis and Schneier, though, is about the likelihood of exploitation of IoT vulnerabilities in the context of war. Here, the assumptions are different, as Lewis considers that a massive cyber attack would be deterred by potential response from the U.S. whereas Schneier considers that (1) it could be useful in the case of an already started war, and (2) that the difficulty to attribute an attack could lead to misguided retaliation or to the absence of retaliation.

Consequences

There are also a few significant differences between Lewis and Schneier on other topics, which I outline below:

• About consequences, Lewis mentions that “most vulnerabilities found on IoT devices lead to events that would qualify as pranks.” He acknowledges that botnets can be created, but he dismisses them by mentioning improved defenses against DDoS attacks. Schneier is much more cautious, and I would be as well. Botnets could be used for other things than traditional DDoS, for instance for attacking other vulnerable devices.
• About cyberwar, the same difference in considering only repetitions of existing attacks leads to similar differences, where Lewis dismisses the risk of potential consequences of a full-scale cyberwar.
• Finally, Lewis considers that the risk will decrease as we get more familiar with the technology, and our experience grows. This is partly true, but it is only valid if we build experience fast enough to offset the increase of risk due to continued deployment of new technologies, which is not obvious today.

At this level, we are talking about opinions and predictions. Depending on whether you believe that history repeats itself or that we always get interesting new things, the conclusions are different. Well, my motto for 2019 still is “The times, they are a changin’ “, so I believe in the unpredictable.

Does it matter?

Note that it doesn’t matter that much. The conclusion from James Lewis does not differ greatly from Bruce Schneier’s. In the end, he recommends that the government “can accelerate risk reduction with the same methods we use for general cybersecurity: research, liability, infrastructure and regulation.”

The IoT insecurity issue may not be of apocalyptic scale, but it nevertheless remains an issue that needs to be considered by governments.

Until recently, life was easy, and we could define levels easily. Since 3 is a magic number for levels, here is a definition that I penned myself:

• Low. Risks on individual goods and personal assets.
• Medium. Risks on collective good and community assets.
• High. Risk on human lives.

This classification can be (and has been) criticized, but it shows the idea. If something can only hurt your belongings, it is less sensitive than a thing that can impact, let’s say, your city’s traffic lights, and much less sensitive than a device that can kill you. And of course, you expect to spend less money on certification for anything with low risk.

If you work on IoT devices, then it is easy to apply this classification. My connected toothbrush is low, so is my personal security camera. The school’s security camera is medium, though, and a hospital’s connected syringes are high.

But wait. Didn’t Mirai exploit cameras to take down community assets like OVH servers? That’s the IoT issue: my camera as a personal security device to protect my house has a low risk level, but the same camera as a member of a botnet has at least a medium risk level, possibly a high if the next bad guy decides to attack emergency services instead of Web hosting services.

This is very hard to capture in a 3-level unidimensional classification. Yet, as we move towards certification of IoT devices, we need to include this collective risk. It is not enough today to consider what a device is supposed to do (watch my house), but we must consider what the device could do after being hacked, and even more importantly, what a large number of the same device could do after being hacked.

Here are three examples with different risks:

• IT risk. Any permanently connected device can be targeted by a Mirai-like malware and end up attacking any part of our digital infrastructure.
• Human risk. Anything with a battery may be led to overheat and possibly explode, and multiplying this could lead to havoc and multiple injuries.
• Economic risk. Sending Brickerbot (which destroys what it infects) to a large number of simple but essential connected parts (for instance, car parts) could lead to a shortage of parts and major economic damage (for instance, if cars can’t be fixed).

These risks are hard to capture, but they are significant. However, it is just not possible to label every connected object as high risk, because certification constraints are too high.

One solution is to define a Low or Basic level that includes a significant level of protection against hacking and malicious exploitation. Even this apparently simple solution is hard to define, but thinking about the problem in such terms is already a big step ahead.

So, remember: A single connected device is cute, but collectively, they can be very dangerous.