I was recently chatting with my father about his life as a young boy growing up in rural Ireland in the middle of the last century, and the conversation moved onto cars and how when he was young cars were a relatively new technology.
In the world we know today, road safety is carefully enforced to the point where we take it for granted. But it wasn’t always thus. People simply weren’t aware of the risks. When my father was a boy there were no seatbelts, no airbags, no crumple zones in cars, nor any roll cages to protect passengers. Indeed, there were few comforts such as radios or heaters and, as my father explained, some people kept warm in wintertime by drilling a hole in the floor of the car to let the hot exhaust fumes waft into the cabin.
My father’s description of the near-total disregard for road safety in a relatively new mode of transport made me think about cybersecurity and how many of the issues we face today as professionals also relate to the interaction of user behaviour, devices, systems and rules.
Inspired by my father’s tales, I searched for more information on the subject and found a fascinating article in the Detroit News, appropriately titled 1900-1930: The years of driving dangerously.
“In the first decade of the 20th century there were no stop signs, warning signs, traffic lights, traffic cops, driver’s education, lane lines, street lighting, brake lights, driver’s licenses or posted speed limits. Our current method of making a left turn was not known, and drinking-and-driving was not considered a serious crime. There was little understanding of speed,” the article explained.
Road safety was far from uniform. Connecticut was the first State in the USA to introduce traffic laws in 1901. When Britain introduced the Highway Code in 1931, there were just 2.3 million motor vehicles, yet road accidents claimed more than 7,000 lives each year. Today, there are 27 million vehicles on the road, yet the number of road deaths is half of that in 1931.
Today, if you want start building cars, you must meet very stringent safety standards and certification schemes before the car is deemed roadworthy. For the safety of drivers and passengers, cars have to undergo numerous crash tests before they get to the road. Even relatively simple safety innovations like headrests to reduce the impact of spinal injuries in crashes only became legally required in all passenger cars in 1969 – almost half a century after their design was first patented!
These changes weren’t made by the automakers voluntarily, but because insurance companies and governments began to intervene. Car safety evolved over decades, and it occurs to me that this change points the way for what needs to happen in cybersecurity. The volume and scale of recent data breaches and cyberattacks all suggest we’ve come to the same fork in the road that the auto industry reached in the mid-1900s.
We’re facing serious security challenges with the Internet of Things, and the parallels with road safety are even more striking. The number of connected devices offered in the market rises inexorably. The low cost of manufacturing (and consequently lower profit margins) often relegates good security to an afterthought. An Internet-enabled camera must adhere to very stringent electrical and safety regulations, but there’s no similar certification schemes for the software controlling it. Makers must make sure that the device doesn’t blow up or electrocute the user, but they still aren’t forced to ensure an attacker can’t access the camera remotely and invade the user’s privacy.
Some technologists argue that excessive regulation stifles innovation and development. But the prospect of many rules didn’t deter Google and Apple from getting into the autonomous car business. I would argue that regulation ensures that whatever innovation happens, the consumer is protected (instead of just the manufacturer).
We need to foster the same environment in cybersecurity that exists in road safety today. The driving environment is as safe as it is because earlier generations paid a huge cost: not just the car manufacturers and insurance companies but the families devastated by injury, tragedy, and loss of life.
Roads have traffic lights, speed limits, overtaking lanes and guard rails. Cars have an array of safety features like airbags, crumple zones, anti-lock braking, seatbelts, parking sensors and child seats. The IoT industry needs to start building in similar cyber safety features by design.
Security awareness training, in this analogy, is just the rules of the road – although it’s very important, it’s not enough by itself. There is no good reason why one individual who mistakenly clicks on a malicious link should put an entire organization at risk.
The security industry urgently needs to encourage stakeholders to work together on a standardised set of rules for drivers (the users), but also a secure infrastructure that people can trust, along with devices and systems that protect them from their own mistakes. By all means, let’s teach people to drive carefully, but let’s also work to develop better engineered vehicles and infrastructure to let them reach their destinations safely.