Rethinking Smart Technology
$800 million. $991 million. $708 million. $645 million. These are the losses, starting from the third quarter of 2016 and proceeding through the second quarter of 2017, for the original ride sharing service, Uber. Investors would normally balk at a company with a single quarter of losses, much less all four. Yet private equity is still scrambling hand over foot to increase their stake in the company. There are many contributing factors to Uber’s successful fundraising, but the most significant impact comes from its investment in self-driving “smart car” technology. Current revenues are after paying for drivers, after all, with a self-driving vehicle cutting out the freelancer, profits could exceed current losses by many multiples. Self-driving cars aren’t the only juicy investment vehicles for futurists, however. Samsung is pushing out top of the line smart fridges, startup Ecobee is working on smart thermostats, the appropriately named Ring is making doorbells and peepholes that sync with mobile phones, and there are hundreds of other startups all seeking to bridge the gap between the Internet and the physical world. A less principled group of individuals are also praying for their success: hackers.
Worries about tech being hacked and turned against the user are older than the Internet; what’s new is the scale of interconnectivity. Take, for example, self-driving cars. Hijacking personal vehicles could lead to many tragic accidents, but hijacking semi-trucks or other delivery vehicles that are self-driving could shut down entire roadways, or divert vital supplies from cities. Hacking into a Smart TV may sound trivial, but if the TV has voice recognition technology, the microphone could be repurposed to eavesdrop on the owner. Remotely controlled food storage and sorting systems could similarly be sabotaged, perhaps turning off the cooling temperature for dairy products or skipping packaging on spoilable foodstuffs. Hackers could ransom the solution to stop the malware, or just threaten business owners with continued sabotage if they don’t give in to certain demands.
Confronting the vulnerabilities of the tech obsessed world may make one want to just roll the whole thing back and smother the so-called “Internet of Things” in its crib. But there’s no need for such drastic measures, at least not before implementing simpler solutions. First, the legal system needs to catch up with intelligence services. The aforementioned smart television hack entered the public consciousness after a WikiLeaks cache of classified documents revealed that the CIA was exploring the vulnerability, along with hundreds of other “0-day” exploits. The government should mandate intelligence agencies disclose vulnerabilities to the relevant business, rather than hoard them for future use. This could start in the executive with specific policy recommendations relating to the disclosure being created and updated as technology becomes ever more sophisticated. Ultimately, however, Congress should come together and pass laws mandating proper disclosure. In addition, the government must make cybersecurity a priority for all agencies, not just defense and intelligence. Upgrading the devices used in house at agencies like the Department of Health and Human Services or Department of Energy will allow IT personnel at underlying agencies to prepare for future attacks like the one on OPM that exposed millions of current and former government employees’ data in 2015.
The government can’t be on the hook for all of it, however; businesses must do their part and extend the time for testing software, as well as hire penetration testers, the “white hat” hackers that look for holes and vulnerabilities before their products hit the market. Even better would be to offer “bug bounties” to crowdsource the vulnerability search. Breaking into gadgets for cash sounds like fun, but it’s incredibly risky in the current legal system. Responsible disclosure—the practice of discovering vulnerabilities and then informing the company responsible for repairing them before publicizing –has ill-defined norms. Meaning that, while ethical hackers could be rewarded for finding a vulnerability, they are just as, or even more likely to be harshly reprimanded with fines, legal injunctions or even jail time. If the private sector doesn’t have the will to lead in this area, the government must. Outlining clear rules for how long a bug must be kept under wraps, and proper documentation to prove the bounty hunters earn their dollars, is a good start. Codifying these regulations will ensure both bounty hunters and businesses are protected—as well as the public.
As with most scientific advances, the coming of smart technology is a double-edged sword. Simplification of ordinary tasks like driving will no doubt increase productivity and satisfaction among consumers, but there are real hazards to letting devices think for themselves. Rather than overregulating to the point of stifling advancement, however, the government should simply increase the power of responsible disclosure, both by practicing what it preaches with regards to intelligence agencies, and by providing guidelines to motivate talented ethical hackers to keep ahead of the scoundrels. By investing in cybersecurity, the government can also quickly and efficiently respond in worst-case scenarios. And unlike pouring money into Uber, such an investment is likely to pay dividends within the decade.