Even our home energy controls are becoming smarter. As humans increasingly inlay technology into daily life, greater interaction necessitates both dialogue and action.
We must critically examine the question of cyber security through the lens of public safety (a term of art called cyber safety). We should identify and safeguard the everyday—and often overlooked—intersections of cyber security and human activity, intersections I call “cyber life zones.”
In a May 2016 talk given by Joshua Corman, director of the Cyber Statecraft Initiative at the Atlantic Council, three key characteristics emerged which help distinguish cyber life zones.
1. A cyber security failure might lead to loss of human life. At the recently concluded DEF CON 24 conference in Las Vegas, a team of researchers created ransomware designed to hold smartly-connected devices hostage. The DEF CON team used a thermostat, coupling the hack with a demand for money. In February, Hollywood Presbyterian Medical Center suffered a real ransomware experience. In this case, the hackers unwittingly stumbled on an electronic health records system. Malicious code automatically froze hospital staff out until they paid a $17,000 ransom. While accidents can paralyze hospitals, a motivated, targeted attack can do much more harm.
2. Cyber security failures lead to a lack of confidence in the underlying systems. We often link the term “cyber security” with protecting privacy or ensuring the availability of critical systems. Cyber life zones compel us to take a hard look at other areas as well. Take the automotive industry. Physical automotive failures, like faulty gas pedals, cause relatively few fatalities before the defect is identified and isolated. Cyber automotive failures could be much different, since cyber life zones expand the “attack surface” available to cyber criminals. Security researchers have already demonstrated the ability to infiltrate modern automotive systems. A cyber security failure might manifest simultaneously across an entire fleet, putting thousands of lives in jeopardy and crippling roadways. Drivers who don’t know who controls their wheel lose confidence in the very systems they’ve come to trust.
3. A cyber security failure might significantly damage faith in our financial markets or trust in the government’s ability to protect its citizens. US President Barack Obama has published his cyber security priorities, and they serve as a positive baseline. However, we must protect more than just nuclear power plants, federal banks, and electrical grids. While national-level organizations amplify areas such as aviation safety, what’s often neglected are national-level strategies and industry best practices specifically designed to address cyber safety in these systems.
To better protect cyber life zones, we must move past protection discussions centered on traditional critical infrastructure. We need a whole-of-government approach, but we also need industry partners, academia, think tanks, and perhaps most importantly, input from the hacker community.
There’s reason for optimism because diverse communities are already coming together to affect change. Government agencies such as the Federal Trade Commission and the Department of Transportation are starting to look more closely at cyber safety, while Congress has convened public and private hearings to learn from technical experts. Disappointingly, these positive efforts are far too isolated.
According to our National Security Strategy, “the United States has a special responsibility to lead a networked world.” Undoubtedly, Americans have the talent and innovative skills necessary to overcome these challenges and must harness the wave of technological progress sweeping across the globe. An updated strategy must address the cyber safety risks introduced by cyber life zones.
Next, government and industry must unite to examine the propensity for high-consequence failure, in everything from supply chains to stealth aircraft, and work hand-in-hand to increase defensibility and build resilience.
Lastly, just as an airline passenger demands an airworthy aircraft, so too must consumers demand cyber-safe products. When families purchase a new vehicle, safety data and crash tests are readily available. There’s no parallel for automotive or aircraft cyber safety, though there are models for automotive and healthcare industries.
The next time you send an e-mail from an aircraft, take a moment to appreciate the relative frailty of your cyber life zone. Americans must amplify the national dialogue regarding cyber safety and act to secure our interests. The alternative would be to accept the tragic consequences wrought by complacency and inaction.
Lt. Col Fairchild is the U.S. Air Force senior fellow at the Atlantic Council. The views expressed in this article are those of the author and do not necessarily reflect the official policy or position of the Air Force, the Department of Defense, or the US government.