David Bray is Chief Information Officer at the Federal Communications Commission. However, he writes this post as a private citizen, not an FCC representative.
Over the last week, I have met with government and industry officials in Taiwan regarding regional strategies for the Internet of Everything (IoE). More meetings are planned for the week ahead, so the observations to date should be considered preliminary findings, to be refined during additional discussions ahead. My travels are part of a five-week Eisenhower Fellowship and this trip is solely in a personal capacity, with the views shared in this post both personal and solely my own.
Foremost, from the discussions I've had about the IoE and cybersecurity with Taiwan's leaders, the nation has been living at "ground zero" when it comes experiencing daily security challenges. Taiwan's leaders are both aware of the risks posed by exposing an increasing number of important information systems to the internet and have been proactive in educating their government workforce about the threats since 2000.
For Taiwan's government, these efforts started fifteen years ago and while no system on the internet is 100% secure, they've made great strides to reduce the risks to government agency systems – including their sophisticated, automated Taipei traffic control system where you can use a free mobile app to view traffic cams anywhere, access GPS-based time tables for buses, see real-time parking space availability for garages, and follow the green lights in a parking garage to a free parking space.
It is only a matter of time before your IoE car reserves a parking space and drives you to it by itself.
Even given this progress, in my meetings with representatives of the Taiwan government and experts at institutions such as theNational Taiwan University and the National Taiwan University of Science and Technology, three concerns emerged regarding cybersecurity and the IoE:
The Internet of Everything (IoE) will increase the risks of cybersecurity challenges to the average consumer. Whereas historically Taiwan's government and potentially a few very large companies were cybersecurity targets, increased commercial adoption of the IoE will make the risks of cybercrime, cyber extortion, and cyber intrusion very real to the average consumer. Consumer privacy will also need additional emphasis to protect since IoE devices will generate large amounts of both intentional and unintentional personal data.
Current approaches to cybersecurity, i.e., relying on human experts to build and maintain "tougher digital locks" and "higher (fire)walls", will not be sustainable as the IoE's potential attack surface expands. While Taiwan's military will focus protecting on their systems, and Taiwan's government their own non-military systems, it's not clear who will look after companies or individual consumers. Who will guard your grandmother's car or refrigerator from being hacked, or if it is hacked, who will detect this and then notify your grandmother? A new model is needed that recognizes the exponential growth of the IoE and the challenges of multiple, proprietary interfaces for the IoE layered on top of TCP/IP.
The IoE will make even more visible the flaws present in TCP/IP and the challenges of guaranteeing any IT system is 100% secure. As Taiwan's experiences underscore: while certainly one can encourage good "cyber hygiene" practices and preventive measures to reduce risk and improve the overall security health of a system – if a device or system is connected to the internet, it's at risk, especially from unscripted, 0-day exploits to which there may be no defense until after an attack.
A New Model Is Needed
Taken together, these three concerns mean Taiwan, and other nations, might want to consider approaching cybersecurity differently – focusing instead on cyber resiliency and an approach more akin to "cyber public health" aimed at both preventive measures and rapid detection, containment, and mitigation of cyber threats akin to infectious disease control.
Given my own experiences with bioterrorism preparedness and response at the U.S. Centers for Disease Control (CDC) from 2000-2005, I find this model of "cyber public health" resonates as there is no way anyone can guarantee an infectious disease outbreak or bioterrorism event will not occur. Even if you do create preventive measures against known pathogens, there will always be new mutated strains that resist past treatments. So in the public health world, what is possible and what is in fact done is:
1. We can teach individual hygiene to communities to reduce the likelihood of a new outbreak emerging.
2. We can establish good infectious disease detection procedures focused on signs, symptoms, and behaviors – with an equal emphasis on protecting the privacy of individuals.
3. We can mobilize epidemiologists and public health professionals to characterize, contain, and remediate an infectious disease as quickly as possible, should one emerge.
Circling back to the IoE, rapid detection and response does reduce "dwell" time and thus the consequences of an infectious disease outbreak in the same way that rapid cyber detection and response to an IoE threat would reduce its dwell time and consequences. Our modern established procedures for conventional public health seem well-suited as a new approach to improve the cyber health of the IoE.
Who will guard your grandmother's car or refrigerator from being hacked, or if it is hacked, who will detect this and then notify your grandmother?
Making These Ideas Real
As an additional emphasis on protecting privacy, public health at the federal level in the United States does not collect protected health identifying information of a patient – focusing instead on public health signs, symptoms, and behaviors. Thus a "cyber public health" approach equally could protect privacy and improve resiliency by anonymously sharing the equivalent of cyber signs, symptoms, and behaviors that different IoE devices are experiencing to a "cyber CDC" that could what for anonymous cyber behaviors within the data.
Taiwan could pair a combination of human experts with machine-learning algorithms to make sense of the data. The algorithms by themselves would be insufficient, humans would need to sort through false positives and provide context to the data; at the same time humans alone would be insufficient given the sheer volume of data.
Taiwan's companies and consumers could chose to "opt-in" and stream cyber behavior-related information from their IoE connected hardware and software devices. Sharing information on behaviors would protect confidentiality of individual companies and consumers while at the same time improving the ability to spot 0-day exploits, where no known signature of a cyber threat may exist yet, just a set of anomalous behaviors that don't fit a normal pattern.
Over the next week, I look forward to further conversations in Taiwan regarding the IoE's impacts on society. Tomorrow I'm meeting with the Ministry of Justice's cybercrimes division and then on Friday with an open government movement called "g0v"that includes some 9,000 volunteer coders helping to improve Taiwan's digital services.
My discussions with leaders in Taiwan raise interesting questions on what a "cyber public health" approach might look like for the IoE. We have already 7 billion network devices on the face of the planet in 2013, soon to grow to 14 billion network devices in 2015 (equal to almost twice the number of humans globally).
Given the IoE is estimated to grow to be anywhere between 50 to 200 billion network devices by 2020 – perhaps a solution to address such exponential growth is to apply the same techniques and principles that allowed public health to conquer smallpox, polio, typhoid, and other major infectious diseases in the 20th century to future 21th century "cyber infection" control?