SAN JOSE, Calif. – A cryptography expert has drafted a paper to show how a single smart light bulb could infect a smart city with malware in minutes. The threat was one of many discussed by a panel of experts in their annual report card on security at the RSA Conference.
In a separate session, the chairman of a U.S. congressional committee on homeland security raised an even more ominous specter. “The bad guys are leaving cyber fingerprints on our critical infrastructure, sending a message, ‘Watch what you say and do because we can hit you from within,’” said Representative Michael McCaul (R-Texas, 10th District).
McCaul called for a new national cybersecurity plan coordinated by the Department of Homeland Security that mandates regular exercises and lays out strike-back options. “We are in the fight of our digital lives and we are not winning,” said McCaul, who is briefed weekly on cyber threats including briefings that started last spring on Russian hacking related to the U.S. presidential election.
“I pushed President Obama and then-candidate Trump to take public positions, and I was disappointed in their responses [to attacks that] jeopardize the fabric of our republic,” he said.
Adi Shamir, co-developer of RSA public key encryption, was equally dire in his overall assessment of threats. “The Internet as we know it today is beyond salvaging, I really think we should start over,” he said in the annual cryptographers’ panel.
Shamir and colleagues will present a paper later this year called, “IoT Going Nuclear.” It describes how one person with a malware-infected smart light bulb could within minutes infect a smart city that uses a large number of smart lights.
He noted smart TVs from Korea’s LG Electronics have already been hit by ransomware. “The government should do something about [such problems] by not allowing devices not sufficiently secured to be connected to the public Internet,” he said, drawing a round of applause.
Panelists generally agreed that machine learning, quantum computing and blockchains will not have a huge impacts on security in the near future.
“I’m optimistic about AI in defense but not offense,” said Shamir. Finding “new zero day [attacks] requires ingenuity,” not the strong suit for machine learning which is “useful in comparing behaviors and finding deviations and warning about them,” he said.
It will take many years to build practical quantum computers that could defeat today’s encryption schemes. However, “I’m not seeing the same level of mathematical research on post-quantum efforts [as on encryption generally] and that concerns me for accepting [today’s post-quantum techniques] as standards,” said Susan Landau, a professor of cybersecurity policy at Worcester Polytechnic Institute.
Next page: Education seen as best defensive weapon
The RSA Conference hosts the annual gathering of encryption experts. (Image: RSA Conference)