When cyber breaches can kill

Your client’s property and life are getting increasingly exposed to cyber attacks because just about everything today has computing power, an information security expert warns.

“It used to be what with computer security, we were worried about computers, desktops and laptops,” Bruce Schneier, a special advisor to IBM Security, said Tuesday during the Payments Canada Summit in Toronto.

But cars, appliances, power plants and medical devices are at increased risk from hacking attacks, suggested Schneier, author of Click Here to Kill Everybody: Security and Survival in a Hyper-connected World.

“All the lessons from computer security – about vulnerabilities, about hacking, about complexity, about changing technology – become true for everything everywhere, and I am not convinced we are ready for that,” Schneier said during the Payments Canada Summit, which is taking place May 14 through 16 at the Beanfield Centre (the former Automotive Building) at the Canadian National Exhibition grounds in Toronto.

“There’s a fundamental difference between ‘my spreadsheet crashes and I lose my data,’ and ‘my embedded heart monitor crashes and I lose my life,'” said Schneier.

But the computer you use for the spreadsheets could have the same type of operating system and central processing unit as one with an embedded heart monitor, added Schneier, and therefore the same method can be used to attack both.

“It’s only what the computer is attached to that makes a difference and that is the world that is coming.”

Conventional computers can be made more secure with patching but this is because the software vendors have teams working on software that addresses security issues and can be installed by the users.

“That fails with low-cost medical devices. The teams don’t exist.”

Schneier suggested that although he worries that someone might hack into his medical records and steal his private health records, he is even more worried about the consequences of a hacker being able to alter his health records and show that he has a different blood type.

Cyber security has three major elements – confidentiality, integrity and availability, said Schneier. Confidentiality means only certain authorized people can access the data. Integrity means the data cannot be changed and availability means that one has access to the data. So a corporate data breach means the data is no longer being kept confidentiality, while a ransomware attack means the data is no longer available.

If a criminal can hack into medical records and change what is recorded as the patient’s blood type, than the integrity of the data is compromised.

“When you get to computers that affect the world in a direct physical manner, the integrity and availability attacks are much worse than the confidentiality attacks because there are real risks to life and property,” said Schneier.

He demonstrated the significance by using an example of hackers targetting a connected car. Listening to one’s conversations on a bluetooth-enabled cellphone or figuring out someone’s location is a confidentiality breach, suggested Schneier.

“I really don’t want them disabling the brakes. That is a data availability attack,” said Schneier, who is also a fellow at the Berkman Klein Center for Internet & Society at Harvard University

“Your car used to be a mechanical device. Now it’s a computer with four wheels plus and an engine.”

The Payments Canada Summit is hosted by Payments Canada, which operates the clearing and settlement systems used by dozens of Canadian financial institutions.