A couple of weeks ago I was talking to an Irish Times journalist about security in the Internet of Things. I used one of my favorite analogies for the way cybersecurity fears can get overhyped – the automobile. Driving is among the most dangerous things a person can do in modern life, yet we take it in stride. Few of us freak out as we climb behind the wheel, terrified of the incredible perils we face simply by pulling out of our driveway. My point was that there are plenty of technology risks that should scare us more than (legitimate but largely theoretical) IoT vulnerabilities, but we choose to ignore them. The comparison seemed to go over well. At least until a few days later, when someone hacked a Jeep.
Crap, I thought, as the security community and the media went slightly and predictably nuts. Did this mean my analogy no longer worked? Did hackers just make driving much more dangerous and me much less insightful at the same time? Thankfully, I was rescued from my distress by a stranger on my local freeway. Sliding into a lane behind my fellow motorist, both of us doing 60 mph down I-35, I gazed through his rear window at the phone propped up on his dash. I thought he was texting at first, then closer inspection revealed he was actually video chatting. In sign language. Using both hands. At which point my rhetorical soul searching came to a crashing stop.
“…a great and sudden change.”
Security professionals worry about IoT because we get paid (in various ways, some more self-serving than others) to concern ourselves with vulnerabilities in digital infrastructures. But IoT represents a merging of infrastructures, not all of them digital or even technological. If everything is networked, then there’s no distinction between security in the network and security in everything else. Physical safety, consumer protection, personal responsibility, and a host of other infrastructures come into play. Jeep’s recall announcement of over a million vehicles soon after the hacking story broke is a good example of how IoT is adding a new layer of complexity to managing computer vulnerabilities, as is the recent FDA announcement warning hospitals to stop using a certain medical device due to security concerns that could impact patient safety. But product recalls and safety warnings didn’t start with the invention of the IoT. And it’s far more likely that security flaws will be absorbed into these public safety processes than disrupt them completely. Dangerous technologies aren’t new, just like there’s nothing novel about people finding reasons to be afraid of new technologies. Mary Shelley took it viral two centuries ago.
Whaddaya gonna do with that thing?
But there’s an important element that I think gets overlooked in all the technocentric worry about IoT security, one you might expect from a guy who calls his blog Security is People! – the human one. The ultimate disruptor. One that can transform an image of completely reckless driving into a sunny visual metaphor for freedom and joy. One that refuses to buckle up until it becomes illegal not to (and even then…) One that creates organizational cultures which may downplay or suppress safety and security concerns until regulation and liability make it unprofitable to do so. Technology doesn’t create those phenomena and technology won’t stop them. People have to. As Chris Valasek, one of the researchers who demonstrated the Jeep security flaw, told CNBC –
I’m more afraid of someone texting and driving and running into me than I am of someone hacking my car.
Security vulnerabilities often concern me, sometimes a lot, but they very rarely scare the bejeezus out of me. At least not any more than other “big ticket” worries like climate change, global pandemics, or nuclear proliferation. Usually less. It may be that cybersecurity threats are reaching that point of society-wide impact, in which case a response is obviously required. But if that response is to obsess over incidents (hacked cars, pumps, and locks) while defending the status quo (little liability, little regulation, few professional standards, but lots of security products hitting the market) then our industry will be part of the problem, rather than the solution. We are challenged to think bigger. Like how do we address information security as a society rather than just an industry? Looking at how society copes with those other big ticket afflictions, one sees a far more complex proposition. It’s more than technology can accomplish. Certainly more than the security industry alone can address. And there’s the good chance that this will be one of those human troubles that we all have to muddle through to some extent, without ever really finding a way out. Maybe that’s what we fear most of all.