The role of many nation-state countries is to gain access to state infrastructure and hold it at risk. While the affected state may be countering state-launched cyberattacks, aggressor states leverage proxies and cutouts to expose weaknesses in critical infrastructure, smart cities, and smart devices that leverage IoT.
Up to this point, you have been exposed to many areas of cybersecurity policy, nation-state capability, threats, responses, and much more.
The opportunity zone to gain access to, exploit, and hold a system/device at risk by the nation-state and proxy hackers has increased.
(Prompt Question 1) Thinking critically, how would you illuminate the threat of IoT advancement to industry technology sectors that focus much of their time on the development and integration and not on the protection of fielded IoT?
(Prompt Question 2) Thinking critically, who bears the bulk of the blame when IoT (e.g., Alexa, Siri, etc.) devices are compromised, and malicious activity leads to the loss of life?
Full Answer Section
- Illustrate the potential consequences of IoT compromises. A compromise of IoT devices can have a wide range of consequences, including:
- Disruption of critical infrastructure: IoT devices are increasingly being used in critical infrastructure sectors, such as energy, transportation, and healthcare. A compromise of these devices could lead to widespread disruption and damage.
- Data theft: IoT devices often collect and store large amounts of data, including personal and sensitive information. A compromise of these devices could lead to the theft of this data.
- Physical harm: IoT devices are increasingly being used in physical systems, such as medical devices and industrial control systems. A compromise of these devices could lead to physical harm, including injury and death.
I would also use specific examples of IoT compromises to illustrate the threat. For example, in 2016, hackers used a botnet of IoT devices to launch a distributed denial-of-service (DDoS) attack against Dyn, a major DNS provider. This attack caused outages for many popular websites, including Twitter, Amazon, and Reddit. In 2021, hackers exploited a vulnerability in Kaseya VSA, a remote monitoring and management software product, to launch a ransomware attack against thousands of organizations worldwide.
To reach industry technology sectors, I would use a variety of channels, including:
- Industry conferences and events: This would allow me to reach a large number of industry professionals in a single setting.
- Industry publications and websites: This would allow me to reach a wider audience and to provide more in-depth information about the threat.
- Direct outreach to industry leaders: This would allow me to engage with key decision-makers and to tailor my message to their specific needs.
Prompt Question 2
Thinking critically, who bears the bulk of the blame when IoT (e.g., Alexa, Siri, etc.) devices are compromised, and malicious activity leads to the loss of life?
The answer to this question is complex and depends on a number of factors, including the specific circumstances of the compromise and the actions taken by the parties involved. However, in general, I would say that the following parties bear the bulk of the blame:
- The manufacturer of the IoT device. The manufacturer is responsible for designing and developing a secure device. If the device is vulnerable to attack, the manufacturer is to blame.
- The seller of the IoT device. The seller is responsible for informing consumers about the security risks associated with the device. If the seller fails to do this, the seller is to blame.
- The consumer. The consumer is responsible for taking reasonable steps to protect their devices from attack. This includes installing security updates and using strong passwords. However, the consumer should not be expected to bear the brunt of the blame if a device is compromised due to a vulnerability that the manufacturer or seller failed to disclose.
When IoT devices are compromised and this leads to the loss of life, there is a moral obligation on all of the parties involved to take responsibility for their actions. However, in terms of legal liability, it is likely that the manufacturer and seller of the device will bear the bulk of the blame.
Additional considerations
In addition to the parties mentioned above, there are a number of other stakeholders who may share some of the blame for IoT compromises, including:
- Government agencies. Governments have a responsibility to regulate the development and sale of IoT devices. If a government agency fails to do this effectively, it may share some of the blame for IoT compromises.
- Standards organizations. Standards organizations develop security standards for IoT devices. If a standards organization fails to develop effective standards, it may share some of the blame for IoT compromises.
- Security researchers. Security researchers play an important role in identifying and disclosing vulnerabilities in IoT devices. If a security researcher fails to disclose a vulnerability in a timely manner, it may share some of the blame for IoT compromises.
Conclusion
The threat of IoT advancement to industry technology sectors is significant. Industry leaders must take steps to protect their