John Sabin, ICIT Fellow, Director of Network Security and Architecture, GRA Quantum05.05.16
While suicide bombers and active shooters capitalize on our most human fears, cybersecurity experts working to defend critical infrastructure understand that loss of life can be achieved without lighting a single fuse or shooting a single bullet. As we move deeper into the digital age, keystrokes and wireless transmissions are increasingly able to cause catastrophic damage—and even loss of life. In today’s increasingly digital landscape, black hat-hackers and state-sponsored actors have found a way to use their cyber skillsets to similarly prey upon our very humanity. Once unimaginable threats are becoming status quo dangers, particularly given the vulnerabilities of medical devices.
Giving a keystroke the lethality of a bullet takes a sophisticated understanding of how the Internet of Things (IoT) is progressing, in addition to a keen desire to do harm and a dash of imagination. This dangerous combination was exemplified—albeit fictitiously—in season two of Showtime’s Homeland when a cybercriminal assassinates Vice President Walden by hacking his pacemaker. From miles away, the terrorist’s digital fingertips manipulated Walden’s pacemaker until his heart sputtered to a stop. However, these vulnerabilities no longer exist solely within the confines of our television sets. From defibrillators and intravenous infusion pumps to ventilators and anesthesia devices, the U.S. Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) has detected vulnerabilities in hundreds of medical devices.
Luckily, our government and the medical device manufacturing industry have been aware of these risks for decades. The Food and Drug Administration (FDA) issued new guidance for medical device manufacturers in February that reflects a growing awareness of these risks and advanced understanding of today’s cyber landscape. Part of the FDA’s prescription calls for public-private cooperation within information sharing analysis organizations (ISAOs).
While in time, cooperation between industry and government in this regard will sort itself out, my experience advising executives across many sectors in private industry tells me the effectiveness of ISAOs, in the short run, will be limited. The legacy of distrust of government by many in the private sector, born from controversial incidents like the Edward Snowden affair, means a trust deficit exists that may cause some to hold back in the types of information they choose to share with government agencies.
This is not to torpedo the idea of information sharing collectives, for they are certainly invaluable components of comprehensive cybersecurity strategies—especially for medical device manufactures. Communicating common concerns, vulnerabilities, and goals across professional networks is crucial to building well-rounded awareness of threats targeting increasingly “smart” medical devices.
To counterbalance any limitations certain actors within the private sector place on the kinds of information shared, wholly privately-run collectives should also be stood up to run parallel with ISAOs. These may be organizations completely new and specifically created for the purpose of information sharing, or adapatations of existing professional associations individual firms already know and trust. While some redundancy is inevitiable, until that trust deficit is shrunk, this may be the best possible way forward.
John Sabin, an ICIT Fellow, is the director of network security and architecture of GRA Quantum. He has previously worked for the National Institute of Science and Technology and was part of a start-up organization within the DoD that eventually transformed into a permanent division focused on offensive cyberspace operations.
Giving a keystroke the lethality of a bullet takes a sophisticated understanding of how the Internet of Things (IoT) is progressing, in addition to a keen desire to do harm and a dash of imagination. This dangerous combination was exemplified—albeit fictitiously—in season two of Showtime’s Homeland when a cybercriminal assassinates Vice President Walden by hacking his pacemaker. From miles away, the terrorist’s digital fingertips manipulated Walden’s pacemaker until his heart sputtered to a stop. However, these vulnerabilities no longer exist solely within the confines of our television sets. From defibrillators and intravenous infusion pumps to ventilators and anesthesia devices, the U.S. Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) has detected vulnerabilities in hundreds of medical devices.
Luckily, our government and the medical device manufacturing industry have been aware of these risks for decades. The Food and Drug Administration (FDA) issued new guidance for medical device manufacturers in February that reflects a growing awareness of these risks and advanced understanding of today’s cyber landscape. Part of the FDA’s prescription calls for public-private cooperation within information sharing analysis organizations (ISAOs).
While in time, cooperation between industry and government in this regard will sort itself out, my experience advising executives across many sectors in private industry tells me the effectiveness of ISAOs, in the short run, will be limited. The legacy of distrust of government by many in the private sector, born from controversial incidents like the Edward Snowden affair, means a trust deficit exists that may cause some to hold back in the types of information they choose to share with government agencies.
This is not to torpedo the idea of information sharing collectives, for they are certainly invaluable components of comprehensive cybersecurity strategies—especially for medical device manufactures. Communicating common concerns, vulnerabilities, and goals across professional networks is crucial to building well-rounded awareness of threats targeting increasingly “smart” medical devices.
To counterbalance any limitations certain actors within the private sector place on the kinds of information shared, wholly privately-run collectives should also be stood up to run parallel with ISAOs. These may be organizations completely new and specifically created for the purpose of information sharing, or adapatations of existing professional associations individual firms already know and trust. While some redundancy is inevitiable, until that trust deficit is shrunk, this may be the best possible way forward.
John Sabin, an ICIT Fellow, is the director of network security and architecture of GRA Quantum. He has previously worked for the National Institute of Science and Technology and was part of a start-up organization within the DoD that eventually transformed into a permanent division focused on offensive cyberspace operations.