We invite insecurity and hacking, says Scythe CEO Bryson Bort, by pushing millions of insecure IoT devices into the environment.
TechRepublic's Dan Patterson sat down with Bryson Bort, founder and CEO of Scythe, to talk about the challenges of IoT. The following is an edited transcript of the interview.
Bryson Bort: For the last two decades I've been doing offensive security research, and the way I phrase that is really understanding what's the edge of what's possible in computing, as opposed to just sort of staying within the middle of the bell curve of functionality.
So, I started off as an Army officer, and I did a lot of tactical network communications, and obviously, in that kind of contested environment security is a big concern. I moved into the private sector doing work for lots of different customers, both government and commercial, and we did security research where we looked for vulnerabilities, and we looked for different unique ways to handle those kinds of compromises and challenges in the environment.
SEE: IT leader's guide to cyberattack recovery (Tech Pro Research)
First, let's think about what is the Internet of Things (IoT), and if you think about that very amorphous name of something it's the fact that computing has become so miniaturized, so power efficient, that I can push these computers literally everywhere. And we are used to things now—that wristwatches finally can do the Dick Tracy thing—all the way so that we're starting to look at how do we incorporate computers into our clothing.
And so as you start to see that going everywhere, it's something that is now a daily part of every consumers life. It's entirely possible in the future that your future identity is going to be all of those systems around you, and that's going to be a better tell of who you are than, say, your social security number or your name.
The challenge we have with IoT is that these are all very cheap, ubiquitous devices that are meant to push out in volume and get to market quickly. And the first part, of course, is that the consumers aren't buying one webcam versus another webcam with any comparison of security because there is not a standard to even look at that. All you can look at is, "Well this phone has these features, and this costs this much." So, they're pushing these devices into the environment, and the impact is also not there for the consumer.
It might be creepy for somebody to hack into my webcam, or it might be, "What could they do if they hacked into my nest thermostat? But are there really bad guys out there interested in playing with my temperature?"
And then the attacks that we saw last year were mostly just using those devices to then go and cause damage to other places. This was where we saw the denial-of-service attack where they pushed lots of traffic from hundreds of thousands of devices throughout the world and took down that website over days, and it eventually completely shut down.
And the real risk that we have is that these devices are pouring in, and the numbers increase, and everything's interconnected. It's just like the same problem we see with herds of animals, where if the herd has been inoculated against a virus to a certain point then there's no outbreak, but you drop below that tipping point of inoculation and outbreaks happen. And we have that same threat with IoT, that by pushing all of these insecure devices into the environment we're going to be more vulnerable overall, even things that aren't directly a part of that, because of that same principle.
SEE: Internet of Things (IoT): Cheat sheet (TechRepublic)
Industrial IoT, industrial control systems, operational technologies—these are those esoteric systems that have brought modern life to what it is. How do I get electricity? Where does my water come from? I love air conditioning. These are all brought by these systems, and one of the big changes that we've seen where there's now been an increased awareness of security is the fact that computers have gone from being this abstract thing that, "Oh, I can't get email when it's down," to now it can have a physical impact. It can directly impact my style of life, and what might be happening to me.
Compound that with what we see in the news, where there are lots of other countries that are exploring the bounds of what can they do with that to cause damage or potentially do something. Now we haven't seen anything that has really happened yet, but we've started to see the first creeping of things beginning to happen where malicious code is popping up in locations, and then it's being found. But clearly for it to have gotten there somebody is trying to do something, and it's key here to not think of these as, "Wow, that's cyber," or "That's computers," but this is just the evolution of warfare and espionage that we've been seeing since the beginning of humankind.