On Bastille Day, July 14, a terrorist in Nice, France turned a cargo truck into a weapon no less destructive than a bomb or gun. Like the 9/11 attacks, the tragedy in Nice illustrated that terrorism’s most dangerous weapons are things we don’t perceive to be weapons.
But what if those things were connected to the Internet? What if terrorists could repeat the Nice attack, with thousands of vehicles, from anywhere in the world?
I ask these grim questions as a venture capital investor. At YL Ventures, our team searches for the best and brightest cybersecurity entrepreneurs in the world.
The Internet of Things (IoT) has blurred the line between physical and cyber security. We need to stop terrorist organizations from turning our connected things against us.
The Weaponization of IoT
Gartner predicts that by 2020, there will be 25 billion connected “things,” a quarter billion of which will be vehicles. Terrorists will try to weaponize them.
This is an imminent threat. “White hat” hackers have already managed to remotely disable brakes, jerk steering wheels, and paralyze connected vehicles (they used a Jeep Cherokee to demonstrate). In July, the Automotive Information Sharing and Analysis Center (Auto-ISAC) published the “Automotive Cybersecurity Best Practices,” the first guidelines of their kind. In the latest disturbing report, the same white hat hackers who showed how to interfere with the Cherokee have shown a way to take even more control over vehicles.
Currently, innovation and security are at odds. Sam Abuelsamid, an auto industry analyst and engineer who developed software for brake and control systems, describes the conflict this way: “By the mid-2020s, virtually all new vehicles will have data connections. As we add more driver assist and automation features, the potential for a bad actor to target the transportation system and either steal data, strand vehicles, or send them crashing into each other will be vastly larger.”
In YL Ventures’ work with Karamba Security, an Israeli-founded provider of automobile cybersecurity, we have investigated what a bad actor could do.
Imagine a group of state-funded terrorists with one goal: find a vulnerability in the driving systems of connected vehicles. Their researchers discover how to remotely accelerate a quarter of the connected vehicles on U.S. roads. During rush hour one day, they accelerate every targetable vehicle, all at once. We call this a “Zero Day” attack in the security world. The attackers cause as many collisions as possible, knowing that we’ll fix the vulnerability immediately after.
Zero Day attacks are not limited to cars. Connected medical devices, nuclear power plants, and water treatment facilities are all fair game. Imagining these scenarios is the first step in preventing them. The next step is finding our own edge.
An Asymmetric Fight
Today, cybersecurity professionals fight an uneven battle. The most sophisticated attackers use artificial intelligence (AI) to find weaknesses in corporate networks and devices. Terrorist organizations will use AI to exploit such weaknesses in order to hack devices, if they haven’t already.
AI doesn’t need coffee, food, and sleep, and there’s never a shortage of AI. Cybersecurity pros are another story. The U.S. alone has 209,000 unfilled cybersecurity jobs, according to a Peninsula Press analysis. Globally, Cisco estimates this defense personnel deficit to be 1 million globally, and the shortfall could reach 1.5 million jobs by 2019.
Under these conditions, how do we gain an edge?
First, we fight automation with automation. We can’t expect cybersecurity professionals to manually monitor IoT networks against AI. If a device can be weaponized, it needs cybersecurity software that can flag incidents, capture data on the attack, and block the intruder. If automation becomes able to prevent 80 percent of attacks, security experts can then focus on the 20 percent that is more complex and dangerous. YL Ventures’ portfolio company Hexadite has been doing just that for some of the largest enterprises, banks, and institutions in the United States. In hours or days, Hexadite’s AI does what humans would take years to accomplish: but only for enterprise security, not IoT.
Second, we simulate the attacks we fear most. Seculert, also a YL Ventures company, offers an intriguing model. They created the Javelin Attack Simulator, which launches innocuous attacks on networks to see if bad actors could steal data. We need to develop equivalent attack simulators for connected devices, and we need to run them incessantly.
Third, we reward “white hats” for hacking IoT devices. Let’s ask responsible hackers to crack devices that might be hijacked for violent attacks. Car companies are already starting to do this, but we need to put more IoT devices in the line of fire. Every time we hack a device and address the flaw, we eliminate a potential attack.
If we wish to prevent Zero Day attacks, we need to anticipate rather than react to cyber security threats. Let’s not wait for our cars to kill us.
Yoav Andrew Leitersdorf is Managing Partner at YL Ventures, which invests early in cyber security, cloud computing, big data and Software-as-a-Service software companies.