David Bray, chief information officer at the Federal Communications Commission, is currently on a five-week Eisenhower Fellowship overseas, traveling in a personal capacity to meet with government in Taiwan and Australia regarding cyber strategies for the Internet of Everything. He shared this initial report from Taiwan with FedScoop. His views are strictly personal and represent solely his own in an Eisenhower Fellowship capacity.
Over the last week, I have met with government and industry officials in Taiwan regarding regional strategies for the Internet of Everything (IoE). More meetings are planned for the week ahead, so the observations to date should be considered preliminary findings, to be refined during additional discussions ahead.
Foremost, from the discussions I’ve had about the IoE and cybersecurity with Taiwan’s leaders, the nation has been living at “ground zero” when it comes experiencing daily security challenges. Taiwan’s leaders are both aware of the risks posed by exposing an increasing number of important information systems to the Internet and have been proactive in
educating their government workforce about the threats since 2000.
For Taiwan’s government, these efforts started 15 years ago and while no system on the Internet is 100 percent secure, they’ve made great strides to reduce the risks to government agency systems – including their sophisticated,
automated Taipei traffic control system where you can use a free mobile app to view traffic cams anywhere, access GPS-based time tables for buses, see real-time parking space availability for garages, and follow the green lights in a parking garage to a free parking space.
It’s only a matter of time before your IoE car reserves
a parking space and drives you to it by itself.
Even given this progress, in my meetings with representatives of the Taiwan government and experts at institutions such as the
National Taiwan University and the National Taiwan University of Science and Technology, three concerns emerged regarding cybersecurity and the IoE:
1. The Internet of Everything (IoE) will increase the risks of cybersecurity challenges to the average consumer. Whereas historically Taiwan’s government and potentially a few very large companies were cybersecurity targets, increased commercial adoption of the IoE will make the risks of cyber crime, cyber extortion, and cyber intrusion very real to the average consumer. Consumer privacy will also need additional emphasis to protect since IoE devices will generate large amounts of intentional and unintentional personal data.
2. Current approaches to cybersecurity, i.e., relying on human experts to build and maintain “tougher digital locks” and “higher (fire)walls,” will not be sustainable as the IoE’s potential attack surface expands. While Taiwan’s military will focus protecting on their systems, and Taiwan’s government their own nonmilitary systems, it’s not clear who will look after companies or individual consumers. Who will guard your grandmother’s car or refrigerator from being hacked, or if it is hacked, who will detect this and then notify your grandmother? A new model is needed that recognizes the exponential growth of the IoE and the challenges of multiple, proprietary interfaces for the IoE layered on top of TCP/IP.
The IoE will make even more visible the flaws present in TCP/IP and the challenges of guaranteeing any IT system is 100 percent secure. As Taiwan’s experiences underscore: While certainly one can encourage good “cyber hygiene” practices and preventive measures to reduce risk and improve the overall security health of a system, if a device or system is connected to the Internet, it’s at risk, especially from unscripted, zero-day exploits to which there may be no defense until after an attack.
A New Model Is Needed
Taken together, these three concerns mean Taiwan, and other nations, might want to consider approaching cybersecurity differently – focusing instead on cyber resiliency and an approach more akin to “cyber public health” aimed at preventive measures and rapid detection, containment, and mitigation of cyber threats akin to infectious disease control.
Given my own experiences with
bioterrorism preparedness and response at the U.S. Centers for Disease Control and Prevention (CDC) from 2000-2005, I find this model of “cyber public health” resonates as there is no way anyone can guarantee an infectious disease outbreak or bioterrorism event will not occur. Even if you do create preventive measures against known pathogens, there will always be new mutated strains that resist past treatments. So in the public health world, what is possible and what is in fact done is:
1. We can teach individual hygiene to communities to reduce the likelihood of a new outbreak emerging.
2. We can establish good infectious disease detection procedures focused on signs, symptoms and behaviors – with an equal emphasis on protecting the privacy of individuals.
3. We can mobilize epidemiologists and public health professionals to characterize, contain and remediate an infectious disease as quickly as possible, should one emerge.
Circling back to the IoE, rapid detection and response does reduce “dwell” time and thus the consequences of an infectious disease outbreak in the same way that rapid cyber detection and response to an IoE threat would reduce its dwell time and consequences. Our modern established procedures for conventional public health seem well suited as a new approach to improve the cyber health of the IoE.
Who will guard your grandmother’s car or refrigerator from being hacked; or if it is hacked, who will detect this and then notify your grandmother?
Making these ideas real
As an additional emphasis on protecting privacy, public health at the federal level in the United States
does not collect protected health identifying information of a patient – focusing instead on public health signs, symptoms and behaviors. Thus a “cyber public health” approach equally could protect privacy and improve resiliency by anonymously sharing the equivalent of cyber signs, symptoms and behaviors that different IoE devices are experiencing to a “cyber CDC” that could what for anonymous cyber behaviors within the data.
Taiwan could pair a combination of human experts with
machine-learning algorithms to make sense of the data. The algorithms by themselves would be insufficient. Humans would need to sort through false positives and provide context to the data; at the same time, humans alone would be insufficient given the sheer volume of data.
Taiwan’s companies and consumers could chose to “opt-in” and stream cyber behavior-related information from their IoE connected hardware and software devices. Sharing information on behaviors would protect confidentiality of individual companies and consumers while at the same time improving the ability to spot 0-day exploits, where no known signature of a cyber threat may exist yet, just a set of anomalous behaviors that don’t fit a normal pattern.
Over the next week, I look forward to further conversations in Taiwan regarding the IoE’s impacts on society. Tomorrow I’m meeting with the
Ministry of Justice’s cyber crimes division and then on Friday with an open government movement called “g0v” that includes some 9,000 volunteer coders helping to improve Taiwan’s digital services.
My discussions with leaders in Taiwan raise interesting questions on what a “cyber public health” approach might look like for the IoE. We have already 7 billion network devices on the face of the planet in 2013 grow to 14 billion network devices in 2015 (equal to almost twice the number of humans globally).
Given the IoE is estimated to grow to be anywhere between 50 billion to 200 billion network devices by 2020 – perhaps a solution to address such exponential growth is to apply the same techniques and principles that allowed public health to conquer smallpox, polio, typhoid and other major infectious diseases in the 20th century to future 21th century “cyber infection” control?
As always, comments, thoughts and feedback welcomed.
Read David Bray’s other columns on the Internet of Everything:
Cyber-civic lessons from Taiwan – How the Internet is transforming open government – and cybersecurity – in Taiwan.
Australia and the Internet of Everything – The speed of information sharing and decision-making on the Internet may disrupt the democratic multi-party system for nations like Australia.
Democracies and the Internet of Everything – Just as disease control requires collective action, the Internet of Everything needs similar private and public sector partnerships to address privacy and resiliency by design.
IoE’s future, human nature and the choices ahead – Federal IT executive David Bray says a key question of the Internet of Everything is what future do we, as humans, want to choose.