In a relatively short time we've taken a system built to resist destruction by nuclear weapons and made it vulnerable to toasters.
Mr. Jarmoc was, of course, referring to the cyberattack last week that shut down access to many major websites (including, ironically, Twitter) for much of the day Friday. The attack was what is called a distributed denial of service (DDoS) attack, which means that the hackers flooded a key part of the Internet infrastructure with essentially spam service requests. In this case, they targeted a company called Dyn, whose Domain Name System serves as a directory for web addresses. Legitimate requests to it were not able to be fulfilled.
What makes this even more interesting is that the hackers conducted the attack using hundreds of thousands, perhaps millions of Internet-connected devices -- e.g., webcams, routers, TVs, DVRs, security cameras, perhaps even the odd toaster or two. This "botnet army" used a code called Mirai that was originally developed by gamers to deny online access to rival gamers.
As FastCompany reported, there had been warnings about attacks by these "Internet of Things" devices for some time, but the attack was still successful, rendering over 1,000 websites unavailable. The reasons for it are not clear. A security blogger told The Wall Street Journal: "I believe somebody’s feelings got hurt and that we’re dealing with the impact. We’re dealing with young teenagers who are holding the internet for ransom."
I don't know if that should make me feel less scared, or more.
The New York Times warns of "a new era" of attacks powered by IoT devices, noting that many of them come with weak or nonexistent security features -- and that there soon could be billions of them in use. A recent survey (The Internet of Stranger Things) confirms that most of us are worried about the cybersecurity risks of our various devices, but few of us have actually done anything about them.
We may buy cybersecurity programs for our computers, and try to beef up our passwords, but probably most of us aren't doing the same for our refrigerators or our cars. Yet those are the kinds of devices we now need to worry about.
It's worse than that. As The Times further noted:
The difference with the internet is that it is not clear in the United States who is supposed to be protecting it. The network does not belong to the government — or really to anyone. Instead, every organization is responsible for defending its own little piece.Decentralized is good, until it is not.
What does this have to do with health care? Plenty, as it turns out. IoT devices are increasingly helping us manage our health and medical care. IoT in health care is expected to be a huge market -- perhaps 40% of the total IoT, and worth some $117b by 2020, according to McKinsey. Expected major uses include wearables, monitors, and implanted medical devices. .
The problem is that many manufacturers haven't necessarily prepared for cyberattacks. Kevin Fu, a professor at the University of Michigan's Archimedes Center for Medical Device Security, told CNBC: "the dirty little secret is that most manufacturers did not anticipate the cybersecurity risks when they were designing them [devices] a decade ago, so this is just scratching the surface."
Again, I'm not sure if the fact that there already are such centers as Dr. Fu's should make me feel less scared, or more.
Cybersecurity concerns for health care don't just involve the Internet. Earlier this month J&J warned that one of its insulin pumps was vulnerable to hackers, who could spoof communication between the device and its wireless remote control. The company sent letters about the risk to some 114,000 patients and their doctors, while claiming that the risk was low and that they knew of no such attacks -- yet.
One has to wonder how many other vulnerable devices there may be.
When it comes to health care, DDoS would be at best an inconvenience, and at worst life-threatening, but the cybersecurity risk most people still worry the most about is privacy. We're going to need to be reassured both that the Internet-based services will be there when we need them, and that our privacy won't be compromised by them. Those are, unfortunately, tough asks.
After all, healthcare is the industry whose data and systems are already being held for ransomware by hackers so amateur that they've sometimes settled for as little as $17,000 in bitcoin. Meanwhile, cyberattacks on electronic health records are growing "exponentially," according to a new GAO report. The GAO estimated that 113 million records were breached in 2015 -- up from 12.5 million in 2014, and less than 135,000 in 2009. One has to imagine hackers are drooling over the vulnerability of IoT data.
The Street reports that "traditional" IT security firms (such as Symmatec) are already focusing on IoT, as well as new players like PTC or Synopsys, but also warns that, when it comes to IoT for health, security is still a major concern. As Ivan Feinseth of investment bank Tigress Partners told them, "the connected car and house are really, really cool, but none of that is more important than healthcare."
Unfortunately, investment in cybersecurity for IoT remains low, with estimated spending on it only around $390 million, according to ABI research. That's out of some $5.5b healthcare cybersecuity spending in 2016. ABI estimates IoT cybersecurity spending will triple by 2021, but that still may lag far behind the spread of health IoT devices.
We've grown used to being hyperconnected, through email, the web, our mobile devices, and are just starting to explore the possibilities of IoT. The Pandora's Box of connectivity is not going to close. However, the basic structures of the internet are some 40 years old now, those of the World Wide Web some 25 years, and it may be time to figure out what comes next, especially because of IoT.
Whether that is the "Internet2," whether that is the "browserless experience" Acquia Labs envisions, whether that is blockchain -- I don't know. What I do know is that a cyberwar in health is one in which we can't afford to lose many battles, so we better figure out sometime quick.
Before my toaster decides to do something mean to me.