Defending against distributed denial of services (DDoS) attacks, such as the one directed at the domain name management company Dyn in October, is one of the Department of Homeland Security (DHS) Science and Technology Directorate’s (S&T) priorities for the upcoming year.
DDoS attacks occur when a computer is flooded with so much information that it cannot respond. Dan Massey, a program manager in the Cyber Security Division (CSD) at S&T, said the agency is adjusting to the shifting nature of these attacks. Massey said that, in the past, these onslaughts would come from big computers sitting on people’s desks. Now, laptops, phones, refrigerators, and smart thermostats can be used to originate attacks.
“A hacker could have your refrigerator send a million packets to ‘Bank of Whatever.’ It’s just junk that the bank throws away at the input pipe, but if you throw so much junk at the site, the real stuff can’t get through,” Massey said. “If somebody hacks into a government vehicle, we care about that. If somebody is hacking medical devices and causing fatalities, we care about that. If somebody hacks into your smart refrigerator and melts your ice cream, we feel for you, but it’s not a DHS priority. However, there have been cases of smart refrigerators hacking into U.S. banks.”
Phone lines, in additions to data centers and banks, can be susceptible to DDoS attacks. Massey used the example of a 911 call center. People have been making bogus 911 phone calls for decades, but now hackers can direct such calls from laptops and other devices. Massey used the example of a kid in Arizona who was charged because he downloaded malware onto his iPhone that repeatedly placed calls to 911. These calls quickly backlogged, because police cannot decide to answer every tenth call and had to respond to each one individually.
In addition to protecting against DDoS attacks, Massey said one of CSD’s goals is to improve the cybersecurity of smart vehicles. One of S&T’s core missions is to protect first responders; Massey cited a study from the University of Arizona that said 19 percent of first responder deaths were vehicle related.
Massey said one area of concern is for smart cars not to get too smart. Smart vehicles have the ability to communicate with one another and brake to avoid collisions. However, Massey said smart vehicles should not override the decisions of the humans driving them. For example, police officers sometimes use the precision immobilization technique (PIT) maneuver, which involves running into a car and causing the fleeing driver to lose control of their vehicle. Massey said that police-operated smart vehicles, which are able to brake automatically, need to be able collide with other cars if officers need them to.
“If we can make the vehicle safer, we can have a real impact there. Now the flip side of that is worrying about the cybersecurity of the car,” Massey said. “You would love to have that police vehicle automatically stop and avoid that collision, except when you don’t. We need to get that technology in so that it saves lives, but also works for the mission.”
Although smart vehicles have the potential to save lives, they also introduce a host of new cyber vulnerabilities. Massey has never seen cyber warriors hack into a car’s steering and brakes “in the wild,” but research has shown that it is possible.
In order to protect smart vehicles from getting hacked, CSD is working with industry leaders and academics on a way to update a car, similar to the way one would update a phone or a computer. Massey said that cars have more than 100 million lines of code, which is “a couple of orders of magnitude more than a space shuttle.”
“To think that we never have to patch or update these things is just missing the boat,” Massey said. “We have to securely update the code in a vehicle.”
Vehicles are not the only smart technology Massey is working to secure. He said the medical field presents an array of smart devices, such as MRI machines, pacemakers, or insulin pumps, which need cybersecurity protection.
CSD collaborates with universities, start-up companies, and other Federal agencies, such as the Department of Transportation (DoT), and the National Science Foundation (NSF). DHS hosts research and development consortia to address cyber issues and turn ideas into marketable technology.
Massey said the transition stage between investors, agencies, and researchers often takes the most effort. He said he gauges success in terms of technology that is available to consumers, not brilliant ideas on white paper.
“One of the reasons we can do this is because we have such a good team. We’re on that critical path,” Massey said. “We spend as much if not more time on the transition piece than we do on the technology itself. That’s really crucial. That’s how we measure a lot of success. It’s the end users who use it.”