In 2017, real action on cybersecurity will happen after loss of life

Public outrage in the wake of a hybrid terrorist attack will finally overcome the propensity of our national leaders to place intelligence gathering convenience above internet security.

eu civil protection exercise
Credit: European Commission DG ECHO

With the massive number of new unsecure internet of things (IoT) devices coming on line in 2017, this may be the year that sees the first hybrid terror attack – a physical-space attack made worse by a simultaneous cyber-space distributed denial of service (DDoS) attack directed at the computing infrastructure of first responders.

Imagine a truck bomb detonating in Manhattan and – at the same time – a botnet comprised of millions of IoT devices flooding the NYPD and FDNY digital communications networks with data, crippling the response. In addition to the increased death toll, such an event’s psychological component would sow unease throughout the population. Terrorists would rejoice that they made the entire Western world afraid of common household appliances.

The terrorist attacks of Sept. 11, 2001 sadly demonstrated that policy makers typically act on well-known security problems after people die and media outlets loudly broadcast the body count. For a decade prior to the 2001 event, a group of CIA officers tracked Osama Bin Laden and his organization. Despite their vigorous warnings to others in the US intelligence community, nothing was done to comprehensively address the problem until nearly 3,000 Americans died and the US government was embarrassed into taking the terrorism threat seriously.

We are now seeing this pattern repeated with cybersecurity.

[ ALSO ON CSO: Data breaches through wearables put target squarely on IoT in 2017 ]

Consider two recent examples. First, the recent Dyn DNS denial of service (DDoS) attack which took down dozens of websites using hundreds of thousands of compromised IoT devices, prompted much hand-wringing from government officials and legislators worrying aloud about the potential for a ‘cyber Pearl Harbor’. Second, real progress on cybersecurity is absent in the wake of the DNC and John Podesta email hacks – politically-focused events that should have terrified politicians into immediate action.

Why is the government endlessly talking about the problem yet doing nothing about it?

The answer is well described in a recent InfoWorld article which explains that, along with lack of global consensus, the convenience afforded intelligence agencies by an insecure internet is the real reason governments are slow to enact truly effective cybersecurity regulations. For proof, one needs only look to the revelation that the National Security Agency (NSA) exploited security flaws in certain routers and then kept that information to itself. Immediately following the NSA leak, Cisco and other router manufacturers scrambled to patch the vulnerabilities.

Since 9/11, terrorist attacks have trended from large, complex plots to more easily executed operations involving one or two operatives attacking soft targets. A DDoS attack is relatively simple to execute provided the perpetrators command sufficient numbers of connected refrigerators and security cameras from which to pump data. Terrorists will inevitably use any force multiplier that allows them to increase effectiveness while avoiding the need for complex communication. A hybrid terrorist attack requires only precise timing between the physical-space ‘guns and explosives’ attack and the cyber-space DDoS attack.

The provisions in PATRIOT ACT were already drafted and on the shelf when 9/11 provided the catalyst for passage by Congress. We should expect that government security agencies have already war-gamed hybrid attack scenarios and have developed regulatory solutions to address the problems. Sadly, it will take a serious, life-ending attack to force government (and private industry) into effective reform.

The most tragic but fascinating aspect of a hybrid terrorist attack is that an average citizen watching news of the event may be a direct participant via the connected refrigerator that just sent an out-of-beer smartphone alert.

Be prepared, 2017 may be the year that cybersecurity is seriously addressed through pain of death.

To add your comments, head over to Facebook.

This article is published as part of the IDG Contributor Network. Want to Join?

To comment on this article and other CSO content, visit our Facebook page or our Twitter stream.
New Year's resolution: ‘I will eliminate passwords’ in 2017
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.