I do not like fear mongering.  However, I do believe that technological advances are outpacing our collective understanding of their implications.  There is a dangerous difference between our understanding and what is actually happening.  We need to take action now.

The threat I worry about is global interconnectivity.  As in, who the hell thinks it is a good idea to connect a car to the Internet?  Or a plane?  Or an industrial plant that manufactures highly toxic or explosive chemicals?  Regardless, organizations are doing just this.  They are, knowingly or not, connecting IT assets to the Internet, thinking this will save costs, improve efficiency, or otherwise improve lives.  The reality is that we collectively are constructing a web of instability.

Two specific issues leverage global interconnectivity, resulting in huge risk.  The first issue is increased span of control.  Span of control is the ability of one person or process to control many other people or processes.  Think about placing an online order with Amazon.  With a simple “one click purchase” a single person sets off an immense chain of events that eventually lead to a product being delivered to one’s door in one or two days.  A single person controls the web page, the Javascript in the web page, the connections to the Amazon server, the backend connection to other servers, the order processing, the payment processing (and the enormous cascade of events that induces), the order fulfillment process, the shipping process, etc.  Just think about the total energy consumed throughout all the processes, all the machines affected, and all the people affected.  Something like an Amazon purchase is wonderful from a consumer perspective.  The dark side is that a malicious actor can have just an extensive span of control as the typical Amazon customer.  A single person, whether state-sponsored or lone wolf, can kill hundreds of people on a passenger plane, destroy a town near a chemical processing plant, derail major transportation routes, or induce economic collapse.  People who say this is far-fetched are only trying to make you feel safe.  If you depend on modern civilization, with all of its interconnectivity, then you should not feel safe.

The problem of increased span of control has been around for a while.  Suicide bombers are one example.  The only positive, if one calls it that, is that disastrous events caused by increased span of control have been limited in scope.  That is, one major event happens and then people recover and clean up.  This is changing now.  The second issue leveraging global interconnectivity is deferred action.  That is, a malicious act can be scheduled to happen some time in the future.  Think of the news stories about hacking events that were not discovered until long after they occurred.  Hacker breaks in, steals data, and a year later somebody finds out.  Consider this scenario — hackers break into major infrastructure or economic hubs today, and schedule bad things to happen one month from now.  A determined malicious actor could do an incredible, and irreversible, amount of damage.  If we wait passively, I believe disaster is imminent.

The number one thing we can do to head off disaster is stop trusting everyone.  While IT professionals may not feel the urgency, professionals in the military or law enforcement should know exactly what I am getting at.  We cannot connect every automated device to one global Internet and trust that everyone on the network will do the right thing.  If you connect a device to the Internet, then you must, until proven otherwise, assume that any connections to that device are adversarial in nature.  I do not mean usernames and passwords — information is free and proliferates whether we want it to or not.  When considering trust, it is behavior that counts.