Clapper: America’s Greatest Threat Is The Internet of Things

Encrypt toasters and win the cyberwar

James Clapper Jr With Lt. Gen Burgess And Leon Panetta

James Clapper Jr With Lt. Gen Burgess And Leon Panetta

Defense Secretary Leon E. Panetta walks with James Clapper Jr., left, director of National Intelligence, and Lt. Gen. Ronald Burgess Jr., director of the Defense Intelligence Agency, before the agency's 50th anniversary commemoration ceremony on Joint Base Anacostia-Bolling in Washington, D.C., Sept. 29, 2011.Jacob N. Bailey, USAF, via Wikimedia Commons

Cybersecurity remains America's greatest threat, according to a report presented today by James R. Clapper, Director of National Intelligence, to the Senate Select Committee on Intelligence.

Almost two and a half centuries after America declared independence, over 150 years since the end of the Civil War, and 66 years since the Soviet Union became the second country in the world to possess nuclear weapons, the greatest threat the intelligence community sees facing the United States is Wi-Fi-enabled toasters. No, really.

Item one, bullet point on in the report is "Internet of Things," the broad catch-all for internet conencted home appliances, ranging from baby monitors to thermostats. Here's how Clapper describes the risk:

Security industry analysts have demonstrated that many of these new systems can threaten data privacy, data integrity, or continuity of services. In the future, intelligence services might use the [Internet of Things] for identification, surveillance, monitoring, location tracking, and targeting for recruitment, or to gain access to networks or user credentials.

"Intelligence services" here mostly means spy networks from other countries, with hackers and spooks cracking into unsecured devices and peeking around inside. As threats go, this is relatively easy to mitigate and almost impossible to prevent entirely. Many devices, like pacemakers, come with either no or just default encryption settings.

That was enough for former vice president Dick Cheney to disable the online features of his pacemaker. It's also something that manufacturers can mostly fix, but adopting better cybersecurity practices and making sure their devices hold up to attacks. Interestingly, President Obama also chose today to ask Congress for more money to bolster private and public cybersecurity practices nationwide.

Something as straightforward as requiring a password before someone on a wifi network can access a device goes a huge way to reducing the risk. There are classes in security and even online educational games that teach the raw basics. Widespread and basic knowledge of cybersecurity best practices will go a long way to mitigating the threat, even if perfect security is impossible.

Besides hacked baby monitors, the cybersecurity part of the report is specifically worried about the rise of artificial intelligence. As humans turn over decision making, or parts of decision making, to exceptionally clever machines, we can expect the machines to fail in new and unique ways, sometimes as the result of an attack. From the report:

A.l. systems are susceptible to a range of disruptive and deceptive tactics that might be difficult to anticipate or quickly understand. Efforts to mislead or compromise automated systems might create or enable further opportunities to disrupt or damage critical infrastructure or national security networks.

Specifically, it cites the risk from unanticipated behavior in algorithms that are allowed to play with the stock market. That's a very real danger, though history is rich with incidents of humans themselves being so bad at the stock market that our economy collapses over and over again. Giving A.I. human responsibility creates new avenues for systemic failure, but the systems themselves can fail in well understood, human ways.

Just as important as the threats are the actors behind them. Clapper anticipates Russia, China, Iran, North Korea, and nonstate actors will all use cyber attack against the United States (and, indeed, many have already done so).

However, with every crisis comes an opportunity. And Clapper's report not-so-slyly implies the U.S. spy apparati will go ahead and use our growing accumulation of connected devices in the Internet of Things to peer deeper into the homes, workplaces, and lives of suspected wrongdoers.

From the countries, this mostly means a range of activity below the level of war—from espionage and reconnaissance to attempted industrial sabotage, all hovering below the level of outright war. Nonstate actors here includes terrorists domestic or otherwise publishing the home addresses of others in hopes of inspiring others to take violent action. It also includes criminals, sending malware or ransomware to steal and lock information unless the victims pay.

None of this is great, but it's a weird moment to live in where the greatest identified threat to America is hacked baby monitors, stolen email passwords, and new spying techniques.

That is not to say they are the only threats: terrorism is listed next, followed by nuclear weapons and weapons of mass destruction. All three of these threats: 1.) cyber attack, 2.) terrorism, and 3.) weapons of mass destruction, do something few other attacks can: cross the giant oceans insulating America from most of the world, and strike at people directly at home.

Of those three, cyber attacks are simultaneously the easiest to pull off and the least threatening when successful. Nuclear weapons risk the very end of the world.

Terrorism, while often feared disproportionately to its actual harm, kills people. Cyber attacks, at their very worst, do less harm to American infrastructure than squirrels. So far, at least...

[H/T: Brian Fung]