The recent Mirai cyberattack, where several devices connected in the ecosystem collectively referred to as the Internet of Things (IoT) were hacked, converted into botnets, and directed to execute distributed denial of service (DDoS) attacks on popular websites such as Twitter, Spotify and SoundCloud, highlight the continuing need to battle cyber threats. So do the banking hacks of last month when 3.2 million debit cards were compromised, most likely due to a malware in the systems of Hitachi Payment Services which managed the “switch” to inter-bank networks. Reliance on the existing cybersecurity frameworks to address these threats—notifying users, tracking the source of the hack and improving protection for the future—seems to send the message out that nothing new can be done beyond more of the same old. Cyber threats are a necessary evil and we just have to protect ourselves better against them.
But on closer analysis, the nature of these attacks, especially Mirai, reveal how ineffective more of the same old is soon headed to be. In a world of connected washing machines, hair dryers, air conditioners and television sets, an intrusion into any one of the connected points—and there are many of them indeed—can result in drastic consequences for both the virtual and real world.
Current scenario-building exercises that envisage critical infrastructure projects being taken over by dangerous third parties or rogue nations, or huge swathes of private information stolen from information repositories such as servers and cloud storage systems, ignore the equally disturbing consequences arising from the inefficient functioning of devices connected to the Internet. Even the response of banks to the debit card hack mirrored this sentiment when predominant attention was devoted to the quantity of money skimmed through the unauthorized transfers to arrive at a figure much lower than previous hacks elsewhere.
The number of man-hours lost in rectifying the intrusion, the quality of service affected during the period when the attacks are on, the volume of business wiped out, the hardship to consumers and, above all, the sheer loss of trust which cautions people from switching to otherwise efficient modes of banking, are beyond tangible quantification, but often ignored as independent justifications for policy intervention. The systemic inefficiency caused by attacks such as Mirai exceeds manifold the choke caused in the early 2000s by the spamming explosion, and to which legal and policy responses were directed.
The evolving nature of the Internet, which today permits sensors, consumer devices, industrial machines and all kinds of appliances not fitting within conventional notions of a computer or even a smartphone, to connect and share data, leaves us with no choice but to clamp down on inefficiencies in the running of devices connected to each other and the Internet. Cyber efficiency, broadly defined by this writer as the efficient working of “connected” consumer and industrial appliances, and attacks on such efficiency in the form of hacks and unauthorized intrusions, merit independent attention and resultant policy frameworks, because they transcend “information technology” and move into the domain of “consumer technologies” and “manufacturing technologies”.
The rise of IoT compels us to add a new dimension to the cybersecurity story: the efficient functioning of consumer and industrial devices connected to the Internet and the consequences, including liability issues, arising from their malfunctioning. While cybersecurity has thus far been largely concerned with the efficient functioning of the pipe, i.e. the Internet, itself, cyber efficiency as defined here will have to focus on the devices connected to the pipe. The recent projections of growth in industrial IoT (IIoT) makes it particularly significant to focus on efficiency as an important and independent segment of cyber protection. Imagine a business rival hacking into a food-processing unit and tampering with the unit’s IIoT to cause excess waste, or into a connected car and lowering its fuel efficiency. These acts cause process inefficiencies in the physical world due to security compromises and lapses in connected devices.
India’s Information Technology Act needs revision to accommodate cyber efficiency as an independent metric of protection and policy intervention. A threshold policy question is whether all devices that potentially connect to the open Internet must be permitted market access as consumer and industrial devices. An IoT study by Hewlett Packard in 2015 revealed that 70% of the devices under study did not encrypt data to the Internet or local network, and 60% did not use encryption when downloading software. The prospect of mischief is high here, and we cannot afford to leave things entirely to evolution. A pre-licensing mechanism may not work and even be technology constraining, but the IT Act must factor in the possibility of post-assessment of consumer and IIoT devices and/or measuring them against standards already formulated by respected standards-setting organizations for IoT and machine-to-machine communications.
Current IoT policy must also factor in cyber efficiency, and not confine its attention to extreme situations of breach of security or privacy. The draft IoT policy of the department of electronics & IT and the IoT policy of Andhra Pradesh focus largely on issues of interoperability and market growth.
A welcome difference is seen in the recent consultation paper by the Telecom Regulatory Authority of India on machine-to-machine communications, which invites suggestions on possible changes to the IT Act to ensure the protection of consumer interest, and emphasizes the importance of quality of service standards at both the network and user end.
Efficient functioning of connected devices should play an important role in future policymaking in the Internet space. It would be unfair to customers to have “smart” products in the market that inefficiently perform their promised function due to security gaps. The state should consider laying down standards, focusing in equal measure on the devices connected to the pipe, and creating a system of incentives and disincentives to signal product manufacturers to comply with efficient standards.
Ananth Padmanabhan is an associate at Carnegie India. For more on connected cars and harmonizing regulation with innovation, track the Global Technology Summit.