How Concerned Should We Be about IoT Vulnerability?

Paul Rosenzweig
Friday, February 12, 2016, 4:14 PM

In 2006, when the Office of the Director of National Intelligence provided its first "Annual Threat Asssessment" top billing went to the "Global Jihadist Threat." Rounding out the top three concerns, Director Negroponte mentioned the then-ongoing Iraq and Afghan wars and the proliferation of weapons of mass destruction. Cybersecurity issues were nowhere to be found.

Published by The Lawfare Institute
in Cooperation With
Brookings

In 2006, when the Office of the Director of National Intelligence provided its first "Annual Threat Asssessment" top billing went to the "Global Jihadist Threat." Rounding out the top three concerns, Director Negroponte mentioned the then-ongoing Iraq and Afghan wars and the proliferation of weapons of mass destruction. Cybersecurity issues were nowhere to be found. In the 2009 assesssment, pride of place went to the then-boiling global economic crisis. The "growing cyber threat" appeared on page 38 of the DNI's prepared testimony. By 2011, cyber had advanced to page 25 ... a welcome leap in importance. And by 2013, cyber was not only in the top 3 but had leapt again to the number one threat to American national security (at least if the ordering of the annual threat assessment is reflective of relative importance).

What then, are we to make of this year's World Wide Threat Assessment? Again, if prioirty and ordering of the statement is reflective of threat perception, the DNI today thinks that the gravest threat to American national security may come from the Internet of Things (IoT). As DNI Clapper puts it:

“Smart” devices incorporated into the electric grid, vehicles—including autonomous vehicles—and household appliances are improving efficiency, energy conservation, and convenience. However, security industry analysts have demonstrated that many of these new systems can threaten data privacy, data integrity, or continuity of services. In the future, intelligence services might use the IoT for identification, surveillance, monitoring, location tracking, and targeting for recruitment, or to gain access to networks or user credentials.

His other great fear? Artificial Intelligence. Here is DNI Clapper again:

The increased reliance on AI for autonomous decisionmaking is creating new vulnerabilities to cyberattacks and influence operations. As we have already seen, false data and unanticipated algorithm behaviors have caused significant fluctuations in the stock market because of the reliance on automated trading of financial instruments. Efficiency and performance benefits can be derived from increased reliance on AI systems in both civilian industries and national security, as well as potential gains to cybersecurity from automated computer network defense. However, AI systems are susceptible to a range of disruptive and deceptive tactics that might be difficult to anticipate or quickly understand. Efforts to mislead or compromise automated systems might create or enable further opportunities to disrupt or damage critical infrastructure or national security networks.

As the Washington Post put it (somewhat humorously), it seems that robots and smart thermostats keep our intelligence agencies up at night. Nor is the DNI alone in his concern. Co-blogger Nicholas Weaver has written about the IoT as a "Global Spy System" that can pervasively collect information on us and even, potentially, kill us.

Color me just a small bit skeptical. Not about the overall problem. To the contrary, I work with a group called "I Am The Cavalry" dedicated to the proposition that we are moving ahead with cyber-enabled technology much faster than we are moving ahead with cybersecurity for that same technology. I recognize, and agree completely, that much of the new IoT is being created without any realistic security protocols and that the new systems are deeply exploitable, for information collection and, in extreme cases, even malicious activity.

Where I part ways with DNI Clapper (and, I suspect, my friend Nicholas) is in characterizing this as an extreme national security threat. IoT threats, by their nature are much more likely to be expressed at the retail level than at the wholesale level. If I use a smart home, for example, I (and my family) bear the risks of intrusion and data collection. That's a problem for me, certainly, but not for America.

From a national security perspective the real threats exist in the case of threats to public infrastructure. Our aviation systems, rail systems, and waste treatment plants are increasingly run by AI systems that are vulnerable. That is a real concern and should be the focus of our efforts. To focus, instead, on the risks from consumer goods like cars and appliances (as the DNI seems to) as a matter of national security is, it seems to me, to focus on the wrong thing.

Again, I am not in any way denigrating the nature of these concens to consumers. You and I will have real issues if our autonomous car is hacked -- but that's not the same thing as a national security threat that takes down the entire GPS-enabled autonomous tracking system. To think otherwise risks misdirecting our resources. After all, what do we think the real national security risk is if hackers can cause an IoT toilet to malfunction?


Paul Rosenzweig is the founder of Red Branch Consulting PLLC, a homeland security consulting company and a Senior Advisor to The Chertoff Group. Mr. Rosenzweig formerly served as Deputy Assistant Secretary for Policy in the Department of Homeland Security. He is a Professorial Lecturer in Law at George Washington University, a Senior Fellow in the Tech, Law & Security program at American University, and a Board Member of the Journal of National Security Law and Policy.

Subscribe to Lawfare