There was a new kind of attack on the Internet last fall. Tell us about it.
Some bad actors seized control of a large number of devices, like video cameras, that connect to the Internet and used them to orchestrate a very, very large denial of service attack that left a lot of websites inaccessible for hours. It was a demonstration of the power that these bad actors or organizations could exert over what is basically a large part of the Internet itself. It affected such sites as Twitter, Netflix and PayPal. It also affected cloud service providers, including Amazon Web Services, which is even more worrisome.
What made this different from past attacks?
It was actually an attack on a part of the Internet infrastructure itself. The object of the attack was one of the domain name service providers (the organizations that help direct traffic across the Internet). To my knowledge this was the first time an attack has been mounted against that part of the Internet infrastructure. They got a lot more bang for their buck by going after a foundational element of the Internet instead of attacking an individual website.
Why is the use of Internet-connected devices in the attack worrying?
The number of connected devices (household appliances, electronics, locks, motor vehicles, etc.) has exploded. Most connected devices come out of the factory with very simple user names and passwords. Unless the new owner changes that, the bad guys can send out bots to see if they can find devices that have these simple unmodified user names and passwords and make them into slaves or additional bots within the overall network.
Why is this significant for insurers?
This is an issue for insurers when you think of connected homes, connected cars and all kinds of commercial property, factories, etc. These are potential vulnerabilities that no one thought about as vulnerabilities three or four years ago.
First, there is a direct implication for any insurer that is using the Internet of Things as part of any insurance product: for example, connected homes, connected cars, connected commercial property, even wearable devices for injured workers that are in rehabilitation programs. The reliability of the data going to insurers could be compromised. The whole point of the Internet of Things for insurers is to get new kinds of data that let them be smarter in terms of how they’re pricing, underwriting and adjusting claims. This vulnerability potentially undermines the basic value proposition of the Internet of Things for insurers.
There is something even more ominous. Bad actors could wreak havoc by taking over basic functionality within a car’s steering system or braking system. That could cause individual accidents or a lot of accidents. It could cause a lot of losses that were not anticipated. The nightmare scenario is the cyber warfare dimension. It’s not an insurance issue, but you could have a state actor or terrorist organization that wants to wage cyber warfare on societal infrastructure, power grids, water supply systems.