Sadly, in our digital world, threats seem to come out of the ether. It’s not hard to imagine cars and planes crashing as a result of a cyber attack. Or hackers bringing down a network of power plants. Or a global adversary influencing U.S. elections by hacking voting machines. “The next president will probably be forced to deal with a large-scale internet disaster that kills multiple people,” says Bruce Schneier, a security technologist in a Motherboard article.
Such IoT doomsday scenarios not only grab attention, they can actually happen. They are even likely, say some security experts.
Hackers Rigging Elections
Hackers who breached the Democratic National Committee in July showed the world that hacking a U.S. election is now possible. A recent survey from Tripwire found that 60 percent of security professionals believe that cyber criminals are influencing the outcome of the 2016 presidential election.
“Election security is critical, and a cyberattack by foreign actors on our elections systems could compromise the integrity of our voting process,” a member of the Senate Homeland Security Committee wrote in a letter recently.
After Bush v. Gore in 2000, electronic voting machines were seen as a more-accurate alternative to older technologies. That’s because nearly two million paper ballots were disqualified in Florida because they caused errors when inserted into vote-counting machines.
A Princeton grad student, for instance, broke into a voting machine dubbed Sequoia AVC Advantage in seven seconds, Politico reported. Princeton professor Andrew Appel co-authored a research paper in 2008 that found that the AVC Advantage machine could be easily breached with viruses that can cause inaccurate tallies of votes.
The FBI recently announced it had uncovered evidence that hackers had broken into election databases in Arizona and Illinois, taking personal data from up to 200,000 people in Illinois. ABC News reported that the FBI has warned all states to improve the security of online voting systems.
IoT-Fueled Cyberwarfare and Other Risks
A cyberwarfare arms race has been going on behind the scenes. The uncovering of the Stuxnet virus, purportedly developed with the support of the NSA, showed that advanced malware existed in 2010 and that spy agencies could destroy Iran’s nuclear centrifuges.
According to a 2013 article in Der Spiegel—roughly the German equivalent to Time magazine—NSA is looking to move beyond mass surveillance with hopes of developing cyberweapons that can target infrastructure, including power plants, water supplies, factories, airports, and banks.
Related: Select the Most Vulnerable Security Targets
After Stuxnet, Iran reportedly beefed up its cyber militia. Iranian hackers were believed to be behind a 2013 attack on a New York dam and a separate attack on the U.S. banking system in that same year.
And it’s not just Iran. Earlier this year, John Hyten, commander of Air Force Space Command, reported that China and Russia had developed “cyber tools [and other weapons] to deny, degrade, and destroy our space capabilities.”
Attackers in China are increasing the scope of its targets around the world, Bloomberg reports. According to Kaspersky Labs, Chinese hackers have launched 194 attacks against Russian defense, nuclear, and aviation targets in the first seven months of this year.
Many of these alleged attacks sound preposterous to those outside of cyber-security circles, yet they hold seeds of truth.
Security expert Pablos Holman says, “Most hacking is super esoteric. All that is happening is some zeros are changing into ones in a computer somewhere. But when you talk about something like shutting down the power grid, that is something people can relate to.”
New Opportunities for Hackers
The yearly loss at the hands of cybercriminals for the global economy is in the ballpark of $400 billion. It’s only going to get worse with the Internet of Things, which brings billions of connected devices and a smorgasbord of operating systems to the cyberscape.
IoT is expanding at a rate that leaves many security experts on edge. Only three out of 10 security experts say they feel confident in their organizations’ ability to protect against IoT-related risks, according to a recent survey from Tripwire. Even worse, only half say their organization accurately tracks the number of IoT devices on the network.
While there’s little consensus on how to respond to IoT-related cyberattacks, one thing is certain: Anyone using IoT better think carefully about security, because nightmarish IoT attacks can and will occur.
“You have to understand the fact that we are not going to win,” Holman says. “You have to play the game, and that game is pretty well defined. Make sure you are not the low-hanging fruit. The attacker has got to be really motivated to go after somebody specific. Usually, they are going after whoever is easiest.”