The recent distributed denial-of-service attacks on various U.S. and world networks leveraging compromised Internet of Things (IoT) devices have long been predicted, discussed and now analyzed over the past few days. There have been observations regarding the warnings expressed and advice on what should have been done and what could and should be done now. And in the days ahead, there will be more. My comments are going to be I hope a bit different. The primary message I would like to deliver is that I don’t feel sorry for the industry as a whole for what has happened. We asked for it.
In the blog I wrote last week I described the process many businesses go through when attempting to manage technical risks, particularly in digital technology. I used the analogy of a poker game. I believe most enterprises attempt to balance the risks they take with the costs they must incur to guard against legitimate risks. It’s a constant game and a complex one, because instead of 52 cards in the poker deck there can be 300 hundred in one game, then 500 in the next, etc. In addition, the rules get changed in the middle of the hand, just to make things interesting. This analogy represents the variability of threat that increase risks.
I wish that it was as simple as a poker game, but it isn’t. With the use of devices normally considered as part of the Internet of Things (and even peripheral devices like webcams that aren’t strictly thought of as part of IoT) in this and the Mirai attack a couple of weeks ago, we are entering a “new normal” stage. The fact is that since we already have a “brownfield” environment of hundreds of millions of devices, any solution that we contemplate at the device level won’t be retrofitted into the chipsets in a uniform manner any time soon. That means that immediate solutions will be ‘compensatory’, or will compensate for the shortcomings of the device itself. We should be accustomed to this, since we do that today for other weak points of the IT infrastructure. This is why we have “defense in layers”.
Naturally we will focus on networks as our first point of change, and you already see the major network providers of domain name services (DNS) gearing up for techniques to handle larger volumes and directions of traffic typical in DDoS attacks. As the head of the NSA said, enterprises must focus on “data flows” in their entirety and complexity to determine what to do to secure against this type of attack, something Gartner was very pleased to hear him say since we believe it as well. There will also be changes in other compensating layers, from operating systems tweaks, software and access management mechanisms. But this attack goes much much further in its implications. The age of dynamic, proactive monitoring, detection and response is now upon us. Data flows from many directions and of different types will require real-time intelligence-driven analytics and automated response to anticipate potential attacks before they evolve into destructive states. This will accelerate the development and deployment of intelligent detection and automated response, particularly in networks and their reaction to anomalous data flows early in the process. We do this today already to handle changes in data flow from a capacity standpoint, but obviously it needs work when capacity changes are deliberately induced on this scale and with this complexity.
I want to return to my original point, however. All of the things this writer (and all of the other writers these past few days) are describing still point to one strategic issue, and that is the IoT just crushed the hell out of your traditional risk calculations by using an IoT-augmented attack. I hate to admit it, but in a sense I’m perversely pleased. It’s one thing for Gartner and others to continually warn of critical infrastructure failures to power systems and manufacturing. It’s quite another when citizens are deprived of their access to Facebook, Twitter and other “vital” services they use daily (though in fairness, there are critical commercial services impacted as well). It is ironic that real action needed by businesses and governments to protect real critical infrastructure will likely occur as a secondary result of addressing a desperate and angry Internet-deprived populace demanding action for protection of their social technology and getting it. Otherwise costs for Internet withdrawal will be severe, overwhelming psychologists and board-game makers. If we are really viewing this as a “new normal” for the next year or so, you can get prepared for some fast action by industries and governments to at least minimize the impact, balance the risk and plan for major changes to IoT device and infrastructure development and deployment henceforth. Sometimes it take this level of event to move us to action proportional to the threat.
Of course, time will tell.