I was shopping on Amazon recently looking for a gift for my daughter. The choices are endless, and it seems everything has an electronic or connected element to it now. While researching dolls, I came across a news item that Barbie can now carry on a conversation with your child. The toy utilizes cloud-based speech recognition technology primarily to accomplish this feat. All conversations are stored so that parents can access them and Mattel, the makers of Barbie, can use them for product improvements – something typically done in speech recognition initiatives.
The reporting focused on the understandable risks of having potentially sensitive conversational data from your child (and future consumer) in the hands of Mattel as well as on the challenges of securing this data and preventing access to your child from the outside world. Imagine hackers stealing this data and deciding to publish it or holding it for ransom were it sufficiently embarrassing. These are fair concerns – ones that I share and, as a result, I am now looking for another gift to purchase this season.
In a separate news story, the Wall Street Journal had an article on the discovery of a control system at New York’s Bowman Avenue Dam that was compromised by an Iranian hacker group in 2013. The attack was focused on gathering information, so it was deemed of little threat to the community. However, it did raise serious alarms in the government based on the group responsible for the attack. It was particularly notable in that it illustrates how vulnerable our critical infrastructure is to outside attack.
Of the two cybersecurity stories, Barbie received more coverage. So, why the difference? Both are potentially damaging, but only one has the opportunity for catastrophic damage and loss of life (were it another dam). Why is the breach of information more concerning than the breach of process?
There are many answers to this, but I think two are important to highlight. First, information breaches – particularly financial or personal ones – directly impact the individual and are easier to understand for the public. Losing your credit card data, for instance, is more relatable as many have experienced this attack personally. Second, companies are not compelled to disclose process breaches to the public. When they do, they are more difficult to understand in terms of what happened and potential impact. Also, the fact that these breaches have only done damage in a limited number of instances just does not stir public excitement.
Although understandable, is this fair? Clearly the answer is no. Media needs to take greater notice of the potential threats to our infrastructure. Sunlight is the best sanitizer. Bringing more attention to infrastructure risk will accelerate governmental and industry action to secure our systems.
What do you think? Does the media need to do a better job covering the risks to our nation’s infrastructure?