I was stopped in my tracks as I was leaving the house the other morning when I heard Donald Toon, Director of Cyber Security at the National Crime Agency, talking to John Humphrys on the BBC Today programme. They were discussing the risks that arise when devices such as home freezers and fridges are linked to the Internet of Things and can be hacked to launch a cyber attack or to steal our personal information.
Mr Toon explained that hackers can use a range of tools and specialist software to harness the power of the Internet of Things. “Freezers you say!” exclaimed an incredulous Mr Humphrys. “Why would I want to connect my freezer to the internet?” Ah, well, explained Mr Toon to an increasingly agog interviewer, as long as an appliance, such as a fridge or freezer, is capable of being connected to the Internet, it can be hacked, even if the appliance is not actually currently connected to the Internet.
This is because hackers can still use software to trigger a connection and then connect to other devices to steal personal information – or worse still, harness the computing power of your device, and link it to other people’s devices or appliances to launch a distributed denial of service cyber attack. These attacks are very hard to spot and a surge in wifi usage may be the only clue. As we all rush towards ownership of billions of connected devices, do we know what we are doing, I wonder as I leave the house?
Part of the problem is that as we all seek to control our heating from the train, get our fridge to restock itself through the online supermarket and speak to Alexa or Siri to check the weather, the next bus or the latest football score, we need to stop and think – are we giving away more of ourselves than we intended? The benefits of a connected world are huge but they don’t come for free and we all need to understand enough about our technology to prevent us from endangering ourselves, our family and the wider community.
We certainly need to make sure our education system is preparing children to protect themselves. The subject of cybersecurity has recently attracted attention from many students, with 1250 people applying for the 23 cyber security apprenticeships made available earlier this month. This is encouraging, and with businesses increasingly keen to employ people with cybersecurity skills and knowledge to help them protect their companies the 23 lucky apprentices will no doubt be at a premium once trained. But it’s a drop in the ocean and a long way from what most students learn – and an even longer way from what most people probably understand.
And yet education has to be an important part of our defenses against what must be an increasing risk of cyber attack. We all need to understand enough to ensure that we don’t leave the virtual door open to our private property for anyone who wants to come along and misuse it. We must of course be able to rely on large companies such as the social media providers to protect us from inappropriate and abusive material BUT we also have a responsibility to equip ourselves and our students with the wherewithal for self-protection, because no system will ever be completely bullet proof.
If we want to control our devices and connect them to the Internet then we need to understand that, as Mr Toon pointed out, these smart watches, phones, fridges and freezers are mass produced with their online capability built in. Their security is poor and the vast majority of people don’t change the default settings. These default settings include passwords, so it is like buying a car and leaving all the doors unlocked.
We need to start working with young children in school and provide training for all the adults who want to use social media and the Internet of Things to connect their lives. Of course we need to teach them about how to devise secure passwords AND we need to give them good techniques for memorizing them so they don’t need to write down all the numerous complex passwords they have to use.
But we also need to teach people the basics about how devices connect and what we all need to do every time we buy a new smart tool or join a new social media site: CHANGE THE DEFAULT SETTINGS. There is an irony in all of this, because ‘nudge’ theory, so popular a while back and the foundation for the government’s behavioural insights team (now a limited company), is all about encouraging people to do the things we want, such as sign up to a workplace pension, by making this part of the default package they are offered. Nudge may well have come back to bite us, just as we need people to be saying “Hey mum, the fridge would have let the burglars in if we had not changed those default settings when we bought it home”.