As if protecting organizational systems from data theft and abuse weren’t a big enough challenge, “Poor cybersecurity hygiene is now having life-altering effects” says Joshua Corman, Director, Cyber Statecraft Initiative at the Atlantic Council.
Corman is referring to recent cyber attacks on critical infrastructure—hospitals in the U.S. and U.K., and the Ukrainian power grid—which caused disruption and suspension of service that could have cost people their lives. Researchers, too, are doing their part to identify vulnerabilities in critical systems which, if exploited, could crash cars, disable life-saving health monitoring devices, prohibit access to utilities, or even cause explosions. While much of the potential is theoretical at present, Corman and his colleagues are working hard to ensure the U.S. government and private organizations alike are taking the warnings seriously, enacting legislation, frameworks, and guidance that will prevent some of the theoretical from becoming reality.
During a recent interview with Infosec Insider, Corman iterated that “This is more than denial of service or stolen data.” We’ve seen (likely) state-sponsored attacks ratchet up as of late, and the number of connected and insecure devices is concerning to security practitioners. One of the problems, though, is that connected devices are not always (not usually) developed with security in mind, and any security controls are either implemented after the fact or become the responsibility of the device owner. “Seventy-five percent of hospitals don’t have a single security person” even though they are “hyper connected,” Corman offers as an example of the problem.
Because the potential for catastrophic damage is simmering just below the surface and entities are not equipped to handle the challenges, the Atlantic Council has been hard at work speaking with the government about cyber safety policy guidance and regulations that will help manufacturers and developers place cybersecurity at the forefront. Eight new cyber safety policy maneuvers and a pending executive order are currently underway in the U.S., but Corman says they’re nascent. “We’ll have to crawl then walk then run,” he says, but adds that what he’s seeing is encouraging. Device manufacturers have the advantage of adopting best practices from traditional security environments.
In the full video interview with Infosec Insider, Corman shares his thoughts on and concerns with the current state of cyber security, privacy, and safety.
To hear more about IoT security, make sure to visit us at the upcoming InfoSec World Conference & Expo in Orlando.