The lecturer now outlines the hazards associated with billions of things being connected to the Internet and highlights nation state cyber warfare goals.As we’re approaching billions and billions of things connected to the Internet, imagine supply chain attacks for what we are calling the Internet of things. Everything’s being connected. I like this diagram on the right (see image). It’s the absolute worst diagram I could find. You have wires running from your toaster into the water of your toilet into a TV that’s showing you what’s inside the toaster. It’s like: “What?” Did the Congress put together this diagram? We have basically a vast, mind-blowing amount of things that are connected to each other, that your grandparents would never have thought it would need a microchip in them. This is a great diagram to put things in perspective (see left-hand image). In 2008 the number of things connected to the internet exceeded the number of people on Earth. In 2020 there will be 50 billion things connected to the Internet if we keep going at this rate. So this is all really hard to understand, especially if you’re making laws and policies to secure this stuff, and people really fail to see how connecting all these things together can have a real impact. They could be exploited by attackers. And so, because they don’t want to understand the problem, everyone is looking for a cyber Pearl Harbor, cyber Katrina, cyber 9/11. I just want to take these people and choke the life out of them, because it’s absolutely idiotic. And I’ll talk about why it’s idiotic. The reality of things is that the unsecured Internet is creating a pathway to destructive attacks. To quote Arthur Coviello – he was a keynote speaker at RSA 2013 – he said that attacks on digital systems that result in physical destruction will no longer require manual intervention (see left-hand image). In other words he’s talking about the Internet of things and how we’re creating so many more pathways for things to go wrong, because everything’s connected.
I may be able to attack you not through basically your machine – perhaps, through some device that has a computer in it, and I can host my malware there, use that as a pivot point, perhaps on your fridge; and perhaps poison you and kill you by manipulating things in your fridge, or something like that. Or perhaps, infect the entire city’s air conditioning units and cause them all to turn off and on at synchronized times, and that will cause effectively a whiplash on the power grid. These are little things, if you understand how these things work it just blows your mind. And so, in effect, what he’s trying to say is that there’s going to be so many things that can go wrong; we can’t rely to responding to these things in a manual way. We have to have faster and smarter intervention. We have to have automated smart defense systems to deal with these things.So, here is the perception: we only see the tip of the iceberg, and no one really understands what’s below (see right-hand image). The reality is that it’s really worse than what we’re seeing. But we don’t know how worse it is. Before we proceed, it’s wise to note human nature that no one admits, no one likes admitting they got hacked. Admitting your company got breached is really bad for business. So, many of these things actually get pushed on the road.
So our perception is naturally just worse due to human nature. So, what will it take to breach this gap? It’s a really tough question. Everyone’s hoping for these cyber Pearl Harbors and Katrinas, and it’s kind of understood that that will breach the gap. Do we really have to wait for something that bad? That’s what people at the RSA and this conference are trying to ask. It’s a good question. Why do we have to wait for this? We know it’s that bad.Well, it really comes down to the fact that the kinetic aspect of cyber security, the kinetic impacts are really hard to think about. And as for warfare, cyber warfare is totally unlike kinetic warfare (see left-hand image). When you launch a Tomahawk group missile, it’s gone, it’s spent. When you launch a Stuxnet, someone can copy and paste it and use it somewhere else.
And battles in cyber space need not be won with decisive attacks. If I get a backdoor in your system, I can just own you all the time. There also need not be any real victory objectives – it’s not like I go and take capital and it’s game over. And then everything in cyber warfare can be automated: we have malware, Trojans, etc. We’re not going to face war fatigue; we’re not going to have families with soldiers overseas, missing their daughters and sons. There’s not going to be a public protest. Cyber warfare can go on forever. So, it can be basically a very effective tactic for a long-term attrition to perhaps tip the balance of power. And effectively, you can play very efficiently by just cheating, lying and robbing other people blind.The cyber-kinetic perception (see right-hand image) is one of the main problems. There’s some good work being done. I think the SANS institute, they’re putting together a mock town, like a model train set town, and it’s a cyber war training simulator. They have basically a little military base, a hospital, a power plant; essentially they have all these interesting scenarios, like enemies have hacked into a power plant and they’ve locked out the defenders. You have to hack in yourself and kick them out and turn everything back online.
There’re people who’ve hacked missile launchers at the military base. You have to hack them to disable them or they’re going to blow up the hospital. It’s obviously toy stuff, but it’s unfortunately what is necessary to make important people in this country and in the world understand the consequences of what can go wrong in cyber space.So, let’s talk about perhaps the goals of, say, if FSU or some country wanted to go to war with UF and other country. What goals would you have? We’d probably have political goals, we’d want to influence perhaps the value of our students over theirs – our degrees are worth way better, we pump out X number of degrees, our GDP is way better than yours.
We may want to sabotage your students. We perhaps want to influence the balance of power, perhaps make our football ratings look better, or stuff like that. We perhaps want to censor bad stories about us, or stomp out the dissidents. We perhaps want to steal their good ideas, steal their research and aim for bad people, so we can keep our competitive advantage. And so we want to, if we’re going to face them in football, maybe spread rumors on our forums: “Hey, our star players are down”, so they change their tactics.
But also it’s more real setting on the world stage. It’s completely reasonable to engage in cyber warfare to prevent war, especially to prevent world war and nuclear war. It obviously was going on with Stuxnet and Iran’s attacks. Whoever was behind them is obviously trying to berate them for having nuclear weapons, because they believe that they will use them. They’ve only told the UN that they will do that a dozen times.