The 1995 Hollywood movie Hackers introduced the world to the idea of teenagers breaking into banks and companies via the internet to download sensitive data and steal money. One hacker used a government database to change a person’s status from living to dead. Malware was used to capsize an oil tanker. Although the movie was released over 20 years ago, many of the risks and issues raised are still relevant today – some more than ever.
While many people probably imagine that capsizing oil tankers through hacking is pure fiction, in 2014 hackers actually tilted an oil tanker off the coast of Angola, causing it to shut down and allowing pirates to take control of the vessel. At the DEF CON hacker conference in 2015, computer security researcher Chris Rock demonstrated how to exploit weaknesses in death record websites to “virtually kill people.”
Imagine receiving a call from your bank saying that your account has been frozen because, according to their records, you’re dead!
It has been suggested that the motivation for hacker activity could be the desire for hackers to challenge themselves or the allure of money. If we look at the most recent ransomware cybercrimes, victims were forced to pay money to cybercriminals or else lose access to their data and systems.
According to Cybersight, every 40 seconds a person or company is affected by ransomware. In 2017, it was estimated that ransomware cost companies and individuals $5 billion. If hackers can cause this much damage by infiltrating individual systems, what could be the impact of hackers gaining access to vulnerable systems which are also connected to and integrated with IoT smart companies?
The Potential impact of Future IoT on Existing Cybercrime
While IoT has become an increasingly prevalent buzzword, the actual definition of this technology is rather unclear. Most people consider IoT to be the value created by connecting previously unconnected devices to each other. One example could be allowing a refrigerator to detect milk levels and then automatically order more milk online when milk starts to run out.
For the purpose of this article, I would like to disregard this type of IoT, and instead consider the huge and complex smart industries created by mega-companies like Hitachi, which sink hundreds of millions of investment dollars into creating smart-companies. As an example of this, imagine a large corporation where all devices are interconnected, where every device is a sensor, part of a huge network of data generated on a nanosecond-by-nanosecond basis. At its heart is AI which can filter and organize data into useful insights to be delivered to managers and executives.
As of January 2018, it was estimated that 8.4 billion devices have already been connected. By 2020, experts have projected that this number will approach approximately 50 billion. This represents the potential for a dramatic improvement in the evolution of technology and innovations which have heretofore been unachievable. A Gartner study in 2016 projected that by 2020, IoT will save consumers and businesses $1 trillion a year in maintenance, services, and consumables. Platform solutions like Hitachi Lumada are already offering corporate customers the capability to integrate systems through IoT to enable them to better understand core activities throughout the value chain.
The power of big data on such a large scale creates the potential to streamline existing processes, gather and interpret complex business activities, and in the end gain an advantage over competitors. The power of IoT will rely on how companies leverage AI. In addition, since data has become a new currency, potentially vulnerable IoT systems create exciting (and scary) opportunities for hackers who have both the technical know-how and the determination to cause damage and steal data.
A Deloitte model on cybersecurity maps out the level of hacking sophistication with an attacker’s determination to penetrate a system. The assumption is that the more time and effort a hacker invests, the more damage or data they seek.
Examples of cybercrime at the lower left side of the graph might physically damage hardware, steal personal information, lock down a system, or demand money.
At the mid level, corporations stand to lose confidential data, hundreds of millions of dollars, or access to systems, causing significant disruption in business activities.
The areas highlighted on the far right refer to matters of national security. Hackers could, for example, gain access to a nuclear power plant, accidentally or intentionally cause nuclear material to enter into the water or air supply, hack air traffic control and crash planes, or steal entire databases of confidential data. The potential for financial loss and even loss of life grows with the level of attacker determination and hacking sophistication.
Cybersecurity embedded cultures: Corporate overconfidence?
Taking a step back, there is no denying that smart industries are the future of organizations and businesses; indeed, IoT is already here today. But the dangers of weak cybersecurity are increasingly becoming a cause for concern due to the escalating potential of damage and the scope of data affected.
A global survey by Accenture in 2017 found that 80% of companies are confident in their cybersecurity-embedded culture, while 1 in 3 focused attacks find success. In addition, only 17% of respondent companies invest in cybersecurity training. The Institute of Information Security Professionals (IISP) survey in 2016 showed that 80% of computer security professionals believe that employees are the biggest security vulnerability in any organization.
Cybersecurity risk is spread between intended and unintended harm. Opening suspicious email attachments can enable viruses to be released into a company system, deleting files and creating damage. Alternatively, a trojan may create backdoors into a secure system, enabling data theft or system exploitation. Disgruntled employees may wish to abuse their security privileges simply for revenge against the company. Revoking existing passwords and changing a computer’s authority is insufficient against such threats – often, it is the employee’s knowledge of the company’s systems which enables them to subvert security in the first place.
If the original 1990s Hackers were rebooted and set in 2020, considering the effects of IoT, the story could believably be about a national-level collective from North Korea hacking an integrated smart bank industry to drain trillions of dollars and crash the world economy. It would hardly seem implausible. Just a few months ago, in January 2018, global media outlets reported that North Korean hacking collectives were responsible for a cyberattack on Youbit, resulting in a loss of 17% of its BitCoin assets, amounting to approximately $75 million.
Cybersecurity is primarily a defensive measure and is reactive in nature. Companies tend to wait for cyberattacks to happen before finding ways to prevent them. Perhaps it’s time to move to a more proactive method of cybersecurity, perhaps strengthened through AI and deep learning. IoT could be a solution. Certainly, companies and organizations that utilize IoT today need to escalate investment in cybersecurity in proportion to new risks.