Cyber and the Internet of Things are one and the same, and it’s time for information security professionals to tackle the realities of a connected world head-on, according to Maj. Gen. USAF (Ret.) Dale Meyerrose, president of the Colorado Springs-based MeyerRose Group.
Meyerrose delivered a keynote address to more than 400 attendees at the 7th Annual Cybersecurity Training & Technology Forum, held Aug. 30-31 at the DoubleTree by Hilton in Colorado Springs.
Forbes describes IoT as the concept of basically connecting any device with an on/off switch to the internet (and/or to each other). Cell phones, refrigerators, cars, lights, even implanted medical devices and machine components like jet engines can be part of this giant network of connected things.
IoT has only entered the mainstream consciousness over the past few years, but Meyerrose said it’s so all-encompassing that information security professionals need to stop treating it differently than other cybersecurity problems.
“The Internet of Things is a big topic; we all talk about it like we need garlic and silver bullets and crosses to fend it off,” he said. “[But] it’s called our industry and our business. IoT is what we do.”
Few people realize how software-defined our world is, Meyerrose said.
“I found it astounding that something as space-age as the [1970s] space shuttle had only 400,000 lines of software code. The Subaru I just bought has 115 million lines of code,” he said.
For perspective on how pervasive IoT has become, Meyerrose pointed to the fact that a 40-row corn planter has 1,000 sensors, and more than 60 percent of U.S. manufacturing companies already employ IoT technology.
“I’m here to tell you I don’t think IoT’s any different to any other cybersecurity problem. It’s time for us to stop wringing our hands about IoT and start doing something about it,” he said.
Meyerrose said that — to his surprise — his decades-old dictionary included a definition of IoT as a network of objects connected by an IP address.
“That Merriam-Webster dictionary’s dated 1992. Why is it we’ve only been talking about IoT in our business the last three or four years?” he said. “This is about how we look at our challenge.”
The world already has about 20 billion connected devices — three connected devices for every person on the planet — and Meyerrose predicted that number will double within the next two years.
“It’s time we got in front of the curve with regard to IoT,” he said. “Draw the line and worry about the next billion connections; not the last.”
Meyerrose said he wants to offer ways to think about IoT “that may make it seem a bit more tangible to us; hopefully give us some ‘Aha’ moments to help us address it.”
IS professionals should learn to look at nodes, inputs, outputs and end devices differently, and avoid the tendency to “get locked into thinking about the domain,” he said.
He quoted U.S. Strategic Command leader Gen. John Hyten’s Aug. 8 speech to the Space and Missile Defense Symposium: “There’s no such thing as a war in space; there’s just war. There’s no such thing as a war in cyber; there’s just war. We have to figure out how to defeat our adversaries, not to defeat the domains where they operate.”
Pointing to images on the screen, Meyerrose said: “That’s a navy destroyer shooting all its guns at once; that’s a Coast Guard cutter; this is the result of precision-guided weapons courtesy of our United States Air Force; this is the satellite constellation. Those aren’t domains. Those are battlefield effects — outcomes.”
Another vital shift in perspective: IS professionals should be focusing at least as much on helping their organizations achieve project outcomes and success, and “not only reacting to what might go wrong.”
Meyerrose finished with a list of “concepts to make IoT work right:”
- Create an IoT strategy that focuses on change leadership/management;
- Eliminate dispersed, incremental decision-making; take a holistic approach with the end state in mind;
- Create and enforce workable standards and frameworks;
- Link contracting with program accountability; and
- Measure and analyze the right things — activity versus outcomes.
“We, by ourselves, cannot fix any cybersecurity problem. It takes all kinds of skills and members of the team,” he said. “We’ve all got to understand where the other parties [in the organization] are coming from, so that we become more effective. … We’ve got to be more proactive in understanding what those different roles are, and become the catalyst for being somebody who is focused on the success and outcome, because guess who gets blamed when somebody gets hacked. It’s the cybersecurity people — you obviously failed at your job.”
Hosted by Information Systems Security Association — Colorado Springs Chapter and FBC, Inc., CSTTF explores cyber resilience, collaboration, threat intelligence, information sharing, workforce development and risk management through in-depth sessions and panel discussions.