It is a natural human reaction when something goes wrong, or an accident occurs, to seek to attribute responsibility or blame. Whether it’s an industrial accident, transport disaster or how little Jonny had his tooth knocked out, the sequence of events is much the same; shock at what has occurred, hasty judgements as to the cause and then an extended period of investigation to identify lessons to avoid it happening again. It is at the end of this process that the cruel truth is often established that the reason for the event is an unfortunate combination of events and no single body or person is to blame; instead, many people involved bear part of the responsibility.
The Dedicated Denial of Service (DDoS) attack on a number of popular websites that made the news recently was attributed to hackers utilising the vulnerabilities of home automation products such as sensors, TVs and webcams. Jeff Jarmoc, Head of Security for global business service at Salesforce, pointed out that internet infrastructure is supposed to be more robust, "In a relatively short time we've taken a system built to resist destruction by nuclear weapons and made it vulnerable to toasters," he tweeted. This captures the irony of the situation! In the headlines the event is cited as a further example of the threats posed by the Internet of Things (IoT), a world of interconnected devices capable of sharing data and promising a wealth of new services and products.
There is no doubt that a hyper connected world risks vulnerability to such attacks, but a cursory examination of the facts shows that the responsibility for the impact of this event is not clear. Was it the device manufacturer who had provided products with easy to guess default passwords, the consumers who bought these devices and didn’t think (or simply weren’t aware enough of the risks) to change those passwords or was it the network infrastructure provider that appeared not to have implemented measures to respond to such a DDoS attack? Then of course there are the politicians who created the political culture that had the led the hackers to have a strong sense of grievance. The list could go on!
It is easy to blame ‘The Things’, but really there is a wider issue here. There are benefits as well as risks in the emergence of IoT, improvements in Telecare, protection of the vulnerable or helping to avert manufacturing or transport failures. But if we, as both individuals and as a society, are to gain from these advances then we all need to play our part in cyber security. In the contributing factors to the DDoS attack any one of the parties could have made a significant contribution to minimising the impact. Ignorance can no longer be an excuse. Those involved in the way the ‘Things’ are designed need to consider not just the security of the device itself, but the potential aggregation effects if multiples of devices are breached, and, perhaps most importantly, how the devices will be used and by whom. It’s unrealistic to expect everybody, especially those more vulnerable users who will benefit the most from the unseen increasing interconnectivity of devices making their lives easier and safer, to be wholly responsible for the security of their devices. The education challenge would be enormous, although all of us ‘users’ need to play our part! No matter how sophisticated the door lock, it is easily compromised if you leave the key in it! So devices that are designed in a way that maintains their usability but enables the user to use them in a secure way will become increasingly important if the Internet of Things is to become accepted by people as an intrinsic, valued part of their lives
The nature of real world cyber-attacks doesn’t make for a greater blockbuster movie. Sadly they are far more mundane, as Ian Levy at the UK’s National Cyber Security Centre points out:
So maybe it was not ‘The Things’ but ‘The People’ who should be the focus here. We could have all done better!