Alarm bells rang out on October 21 when large chunks of the internet in the United States and Europe were made inoperable. This happened because of a specific type of hostile attack, termed “Denial of Service”; this paralyses an organisation’s internet-facing servers (computers) by flooding them with artificially created traffic that has been dramatically scaled up.
Here, the pin-point objective was to paralyse an online directory service organisation, Dyn, central to successful internet operation. The attackers hacked and took control of an estimated 100,000 low-end devices that can autonomously access the internet, directing them to overwhelm Dyn — and consequentially paralyse the internet. The Internet of Things (IoT) was involved because the attack exploited very large numbers of ubiquitous low-end devices connected to the internet. This event was a chilling demonstration of the new vulnerabilities that attend the astounding growth of the IoT, and the central role of the internet as the digital nervous system of the interconnected machine and human experience. Technology, and the exploding range of services it enables, has consistently outpaced our understanding of the internet’s evolution and the systems designed to protect it.
In this case, the hijacked devices were primarily simple internet cameras that have become popular as security surveillance devices. Attackers easily hacked many of these and took control by introducing malicious code that repurposed these devices as “bot” devices — slaves to central controllers — acting then as an army of “bots”, sending volumes of spurious requests to the chosen target. The attackers exploited the fact that many such microprocessor-based devices are vulnerable and can be maliciously made to access the internet autonomously because built-in security barriers are inadequate or neglected.
In contrast, modern computers, laptops or other networking devices, where security is a major consideration in design architecture, with software properly updated, are more difficult to hack into, though not impossible. This was demonstrated by the well-documented hacking of computers in the offices of the Dalai Lama, where hackers took control of built-in microphones and cameras to eavesdrop on conversations and watch all visitors. But even when individual machines are hacked — with a loss of valuable information — they do not scale easily into an army of “bots”.
Low-end IoT devices are vulnerable because they are cheap commodity items; addressing security would require sophistication in design and add to the cost. This class of IoT items is proliferating with new applications, many useful, some frivolous; for example, many home appliances, thermostats, security and monitoring devices and personal convenience devices are part of the IoT. So are fitness trackers, certain medical implants and the proliferation of computer-like devices in automobiles. The IoT is in its early stages and expected to expand exponentially — but new security challenges that must be addressed are daunting. Ultimately, solutions will be developed. But the ever-present gap between the growth of enabling technologies that lead and the lag in the required development of security safeguarding technologies is alarming. This lag phenomenon will not change. And the consequences are not easy to predict.
But the events of the internet shutdown in October left cyber-savvy people spooked, including in the world of national security. There are three standout issues: First, the threat scenario, that has long been a major “what if” concern for people who worry about such things, has now been demonstrated. Second, if such an attack can be mounted with an estimated 100,000 captive “bot” devices, then what would the impact be with, say, one million devices or more, directed toward multiple critical targets? What if these attacks were directed at specific individuals, groups or organisations for economic damage, or to disable infrastructure with hostile intent? The effects could be crippling or devastating in terms of civil, economic or military impact. The third is the concern about who was behind this attack — it is theoretically possible that a gifted but misguided teenager could be responsible. But that is highly unlikely. What worries security experts is the likelihood that a nation state, or its surrogates, were behind the attack. The capability demonstrated could be a prototype for a scaled-up attack on other critical parts of services and infrastructure dependent on the public internet.
The challenge is what can be done about this. Long-term solutions will require immediate operational actions and practices with longer-range initiatives, some policy driven. These will require shared responsibilities across a spectrum of players, from individuals to institutional and corporate entities and various agencies of the government.
The root cause is the vulnerability of devices where security has not been addressed as part of the original design, or indeed, provisions do exist but these processes have not been followed at the time of activation. It is critical that standards for device security must exist and compliance must be required for sale and operation. The most effective move would be to embrace the standards and protocols being adopted by technologically advanced economies of the West that have dramatically higher stakes and are developing safeguards. That will position India well for the future as its own reliance on the internet rises steeply.
But even that would be a partial solution since hundreds of millions of vulnerable devices are already out there globally — the IoT is not waiting to happen. An important step should be to assess the risk from all exposed devices and take actions to contain this. In some cases, the fix might be simple; replace default passwords by strong, unique passwords. But when security considerations are not well addressed, the only sensible action would be to either disable autonomous access or remove the devices altogether.
Urgent action is an imperative — otherwise, we risk becoming collective victims of cyber-attacks or unwitting accomplices to these incidents, potentially with large-scale and serious consequences. At a national level, more is needed. The imperatives are, first, to set policy, strategies and priorities to address this and other aspects of cyber security, including appropriate frameworks of laws and statutes. Second, it is vital to develop and set specific standards and provide guidance for compliance. Third, we must identify vulnerabilities and prioritise actions to protect critical infrastructure and operational capabilities. Fourth, developing and maintaining specific real-time interventional capability to address a cyber attack of this nature by pinpointing and containing it, and ensuring resilience for protection and restoration of capabilities, is important. Fifth, we must carefully think through protocols that will be necessary to manage such complex issues that cross organisational boundaries in real time — the ability to respond must not be hampered by internal boundaries and conflicting authorities.
Cyber security is a complex topic that requires a range of coordinated, dynamically adaptive actions where responsibilities span from individuals and organisations to national governments. The stakes are enormous. Cyber security is already a rapidly evolving frontier of vulnerability and threat. The option to do nothing does not exist.