Just because something is scary doesn't mean it's a figment of your paranoid imagination.
That is Joshua Corman's response to those who say there is too much unwarranted FUD (fear, uncertainty and doubt) regarding the lack of security in the Internet of Things (IoT), which is rapidly evolving into the Internet of Everything.
There is reason to be afraid, he said, because the dangers in the digital "ocean" are as real as swimming in a physical ocean of sharks, with blood in the water.
Corman, CTO of Sonatype and one of the featured speakers at the Security of Things (SECoT) Forum in Cambridge, Mass. on Wednesday, used that image for the title of his talk, "Swimming with Sharks -- Security in the Internet of Things."
As he and other speakers throughout the day noted, the attack surface of the IoT is growing exponentially. Most estimates are that there are at least 10 billion "things" now connected to the Internet, with that number expected to reach anywhere from 50 billion to more than 212 billion by the end of this decade, with 30 billion of them self-governing and "autonomous."
And so far, there is no "cavalry" coming to save the public from IoT threats. It is up to the security community, he said, to "be the voice of reason" and to call for public policy makers to improve "technical literacy." Corman's latest project, @iamthecavalry, is an effort to bring security awareness regarding the IoT to the grassroots.
That, he said, is because there is plenty of information about cool features and convenience from embedded smart devices (remote door locks, automatic insulin pumps, self-driving cars), but not so much about the risks.
"A bedrock principle is that everything we do is based on risk v. reward," he said, "but right now, our understanding of the risk is not based on complete information."
The reality of the IoT, he said, is that, "right now the sharks outnumber the good guys." Instead of Advanced Persistent Threats (APTs), he said it would be better to think of Advanced Persistent Adversaries. "They're a different kind of shark. It's a very serious problem -- not really a 'what' but a 'who' and 'how.' And we are losing. Our best and brightest are spending millions and billions on security controls, but there are still breaches on regular basis. "
One of the reasons for that is that "offense is easy, but defense is hard." That has been proved by Anonymous, he said, the loose hacktivist collective that Corman spent some time studying as a "species of predator." What he found was that the group, in spite of being populated by relatively unsophisticated people using rudimentary tools, "they made up for it with will power. They went on a 50-day rampage called the Summer of Lulz and pretty much took down anyone and everyone they wanted with great success. They held up a mirror to our neglect. They showed how badly we've operationalized basic web security."
Sign up for CIO Asia eNewsletters.