The recent Mirai botnet attack shows how vulnerable the Internet of Things is to compromise and exploitation. Business Reporter’s resident U.S. blogger Keil Hubert argues that it’s irrational to expect consumers to complete hundreds of hours of academic training each in order to adequately harden their consumer goods.
Our consumer goods turned on us last month – viciously – and made life considerably difficult for a bunch of companies. As The Register’s Chris Williams wrote during one of the mid-attack updates: ‘A vast army of hijacked internet-connected devices – from security cameras and video recorders to home routers – turned on their owners and broke a big chunk of the web.’ The distributed denial of service (DDoS) attack against US-based DNS provider Dyn caught a lot of cyber security boffins’ attention for its extensive use of the Mirai botnet – that is, an army of internet-connected consumer electronic devices like webcams, security cameras, video recorders and other disposable bits of simple electronic kit. The DDoS initiators were able to deploy tens of thousands of home devices as virtual artillery pieces against Dyn by logging into the devices with their factory-set default user IDs and passwords.
This was big deal. Security researchers have been warning the world about exactly this happening pretty much exactly this way for years now. Meanwhile, consumer goods manufacturers have kept engaging in the same sloppy (one might even say ‘negligent’) design practices, manufacturing products that are vulnerable to this sort of exploitation and weaponization. Heck, I warned y’all about it back in my July 2014 column for the print edition of Business Technology in a piece called ‘Dangers of the modern world: getting mugged by your appliances’. This isn’t new.
Here’s the threat in a nutshell: manufacturers of consumer goods have an economic incentive to make their products as simple and as cheap as possible. A manufacturer that invests in robust and effective cyber security features for its model is going to get outsold by the manufacturer that slaps together a dodgy piece of crap because adding features costs more, and consumers buy on price. Making things worse, the majority of consumers don’t demand effective security in their appliances, and most buyers won’t pay extra for features that they don’t understand. This is why designers and manufacturers don’t emphasize those features – there’s no competitive advantage in it. This is how we wound up with millions of easily exploitable cyber attack platforms deployed across the world, masquerading as innocuous home gizmos. See previous, re: big deal.
This DDoS attack made the news because it affected millions of users who had no idea that they were part of a vast criminal endeavour. Strangely, while I was typing the first draft of this column at a local restaurant, I asked my waitress what she knew about the outage. She looked at me like I was crazy and said she had no idea what I was talking about. That, too, is a big deal. If normal people like my waitress took responsibility for their gizmos, we’d reduce the baddies’ ability to conduct their nefarious activities. I have a theory as to why my waitress was innocently (and charmingly) clueless, and it’s based – believe it or not – on the problem of unreasonably expensive proficiency.
I know that sounded a bit weird. I get it. Bear with me a minute because I’m going to have to go a bit sideways and historical to make this make sense.
I had a revelatory experience a long time ago, in a small city in Nowhere, Kansas. I was around halfway done with high school. Our stock-standard English teacher was running her class on rails, delivering the vanilla state-mandated curriculum with all the enthusiasm one associates with filling out income tax forms. No one enjoyed the class. No one really hated it either, mostly because passing it required no real effort.
We had all sorts of students in the class, running the spectrum from football hooligans to our town’s only violin virtuoso. The teacher would assign a few chapters of reading each week as homework. Every Friday, she’d us what we thought of the section that we’d read. People would throw out semi-random responses, and the teacher would tell us that we were all completely wrong. It didn’t matter what we’d said. It was the sort of experience that puts normal people off reading entirely, but it worked well as a non-threatening class since you really couldn’t fail it (you just endured it).
Anyway, we’d just finished slogging through Shakespeare’s Julius Caesar when our teacher pulled a fast one on us. She ditched the next standard title in the curriculum and assigned us to read Truman Capote’s debut novel Other Voices, Other Rooms. Bear in mind, none of the kids in the class had ever heard of Capote before. No one was aware of his reputation. We had no idea that the ‘fiction’ story we’d been assigned was his semi-autobiographical coming-of-age tale. In fact, the idea that we were expected to discuss a teenage boy accepting his homosexuality in a Kansas public school was shocking. These were things that one did not discuss. There wasn’t a single acknowledged homosexual in our entire high school. Back in those days, such revelations just did not happen. [1]
I had no idea what I was reading at first. I’d never encountered a Southern Gothic story before, let along anything as lurid as Voices. I finished the book long before the assigned date and asked some of the ‘gifted’ kids in class to help me wrap my head around the content. My best mate Chris explained the symbolism and helped me grok the recurring metaphor of the missing parents. One of the girls explained why the novel’s cross-dressing scenes were supposed to be shocking. Another girl explained the culture of far-off Louisiana, where the story was set. Within about a week, our study group came to the joint conclusion there’d be a huge backlash from the other students’ parents (most likely the town’s evangelicals) when they learned what we’d been studying.
Every day after that, we came to class expecting that today would be the day that the angry mob burst in and threw a fit over the teaching of ‘decadence and filth’. We figured we’d have a front row seat to the chaos as angry adults challenged the teacher’s authority. At the very least, we figured that one of the more sheltered kids would realize what the story was about and spectacularly lose his or her composure. Every day we came to school and discussed a new chapter. Every day we left confused that today hadn’t been that day. The angry morals squad never made an appearance.
After about three weeks or so of slogging lazily through Capote’s book, the module was up and we shuffled dully along to another written work that no one seemed to care about. There wasn’t any drama. No one ever raised a stink over it. Voices came and it went, and no one seemed to care.
At first, I wondered if maybe I’d been all wrong about the kids I’d grown up with. Maybe they were more accepting and socially liberal than I’d previously given them credit for. Maybe they weren’t bothered by the idea of a young man rejecting conventional society. Maybe they didn’t really object to young men ‘coming out’. Gosh darn it, maybe these people weren’t as narrow-minded and bigoted as I’d always suspected they were!
A few days later, I overheard one of my footballer classmates harassing a smaller and weaker kid in the cafeteria. When he casually tossed out the insult ‘gay-wad’, it struck me that I might have been completely wrong about being completely wrong about him. The bully wasn’t liberal. He wasn’t sophisticated or modern. He was just thick. So, if I’d been right about him all along, why hadn’t Capote’s story changed his perspective any?
I came to realize that the reason why this particular footballer (and, by logical extension, the other kids in our English class) hadn’t had any meaningful reaction to the topics, themes or scenes in the novel because they hadn’t read the bloody thing! They’d listlessly endured the in-class discussions by evading the teacher’s rote discussion questions. If you’d asked most of my classmates to summarize what the book had been about, all you were likely to get were vague clichés and blank stares.
This exact same phenomenon sabotages our best efforts at hardening users against cyber security threats. Feel free to assume that I’m crazy, but please hear me out.
My classmates hadn’t read Capote’s book because they didn’t need to read it in order to pass English class. The teacher’s arguments about how important it was to learn how to analyse literature fell on deaf ears. Not because they were necessarily anti-intellectual or unintelligent. Those kids were clever enough to work out that there was no advantage to be gained in actually investing the effort required to meet the teacher’s stretch goal. Her goal was lofty and ambitious; their goal was to graduate.
The kids in that English class are a good analogue for the general user population. Specifically, these were normal kids trying to get through life. They weren’t the least bit interested in reading Julius Caesar or Other Voices. These kids weren’t dumb or malicious – they just had competing priorities. They wanted to get past all the obstacles that adults kept putting in their way and address the things that they felt were important: sports, church, jobs and romance. They had a finite amount of time and energy to devote to optional pursuits, and ‘appreciation of literature’ didn’t make the cut.
In the business world, we push cyber security awareness on our users as a condition of employment. Business users have to pay attention to our messages because they might suffer consequences if they don’t. They’re like university English majors, in that they may not be personally interested in what we’re saying, but they’ll put in the effort required to pass a test on it because they know it’s required to get (or to stay) employed. Often, we cyber security people tend to assume that everyone reacts to our messages like business people do because that’s how people respond to us in the office.
In reality, home users – normal people who have no natural interest in our obscure technical domain – aren’t listening to us when we yammer on about ‘patching’ and ‘password changes’. These folks just want to get through their day and maybe score a little time to relax. Just like the kids in that English class, these people have a hundred other activities competing for their attention. They don’t have the time to invest in pursuing the equivalent of a university degree in computer security.
I can empathize with that. I really can. I was curious about learning computer programming when I got to university, but when my mates warned me that I’d need to complete at least 21 hours of advanced math classes – including differential equations (whatever that is) – in order to start learning how to program in C, I crossed programming off of my list of reasonable activates forever. I don’t have hundreds of idle hours (or thousands of pounds for tuition) to study advanced mathematics and compiler theory just to satisfy a curiosity. I can use my copy of Word to write my weekly column without knowing how Microsoft’s programmers defined their variables.
That’s effectively how the majority of home users feel about the cyber security proficiency requirements that us industry advocates say that everyone needs in order to protect their Internet of Crap devices. The overwhelming majority of consumers would like to make their cameras and refrigerators and baby monitors safe. They’re not monsters. They don’t want to be part of a criminal enterprise. On the other hand, hey don’t have hundreds of hours of idle time to invest in all of the background engineering studies that it takes to achieve technical security proficiency.
That’s why it doesn’t matter how loudly and how often we repeat ourselves when admonishing end users about their poor security habits. The barrier-to-entry required for the average consumer to achieve a reasonable level of technical proficiency in order to understand what we’re preaching is just too damned high. It’s impractical for us to insist that billions of consumers go back to school just to safely operate their televisions.
Instead, I’m arguing that we need to apply pressure on the other end of the equation if we want to effectively attack this problem. If we can’t solve the end user side through education, then we need to attack the design and manufacturing side through regulation and accountability. If governments and industries can compel device creators to build common best-practice cyber defence measures into their products – and thereafter hold those manufacturers who don’t comply to standards legally accountable – then maybe we can reduce the number of inherently insecure and exploitable devices flooding the consumer market.
The end of the Capote’s novel (spoilers!) involved the protagonist accepting who he was, knowing that this acceptance likely condemned him to spend the rest of his life at odds with mainstream society. [2] In some respects, the thousands of us who make our living as cyber security professionals have to accept that we, too, are placing ourselves at odds with mainstream consumer society. Because we chose (for whatever reason) to invest hundreds of hours each in advanced study of a complex (and arcane) technical engineering field, we represent something that most end users can’t identify with. Most people simply don’t have the time, money or interest in following us into our profession, and it’s foolish to demand that they emulate us in our academic interests.
I agree that there’s a certain minimum level of core technical proficiency that everyone needs to possess in order to function in the modern world. That being said, that minimum level of technical skill can’t unreasonably require hundreds of hours of technical education. Those of us that understand the complex threats and countermeasures need to leverage our expertise to take the burden of device hardening off of the consumer and place it on the manufacturer where it belongs.
[1] That was considered a ‘big city’ issue, not something that happened way out in the sticks.
[2] Hence, the novel’s reference in the title to Joel being condemned to ‘always hear other voices and live in other rooms’.
Title Allusion: Truman Capote, Other Voices, Other Rooms (1948 Novel)
POC is Keil Hubert, keil.hubert@gmail.com
Follow him on Twitter at @keilhubert.
You can buy his books on IT leadership, IT interviewing, horrible bosses and understanding workplace culture at the Amazon Kindle Store.
Keil Hubert is a retired U.S. Air Force ‘Cyberspace Operations’ officer, with over ten years of military command experience. He currently consults on business, security and technology issues in Texas. He’s built dot-com start-ups for KPMG Consulting, created an in-house consulting practice for Yahoo!, and helped to launch four small businesses (including his own).
Keil’s experience creating and leading IT teams in the defense, healthcare, media, government and non-profit sectors has afforded him an eclectic perspective on the integration of business needs, technical services and creative employee development… This serves him well as Business Technology’s resident U.S. blogger.
