"Everything is connected": W&M senior pens winning essay about cybersecurity in the age of 'Internet of Things'
It’s as uncommon as a plane crash, but large-scale cyber attacks can be every bit as expensive for an insurance company. A William & Mary senior won an award for his essay that investigated the threats and costs stemming from cyber vulnerabilities.
Luke Schwenke ’19, a Data Science major from Warrenton, Virginia, earned first place in the Intermediaries & Reinsurance Underwriters Association’s 2018 Scholars Program Essay Contest. His winning essay earned him a $10,000 top prize from the IRUA and publication in the most recent edition of their quarterly journal for insurance industry professionals, the Journal of Reinsurance.
“The ten thousand dollars is really nice,” Schwenke said with a smile, “but then to be in a published journal looks good on a resume, and it’s something unique.”
Titled “Insuring against Unknown Cyber Attacks in the Age of IoT,” Schwenke’s essay explored the new ways insurance and reinsurance companies must craft coverage policies in the age of the ‘Internet of Things’ or ‘IoT.’
‘IoT’ is a term that refers to the fact that internet connectivity has been built into most modern devices and machines, allowing them to send and receive data. While increasing inter-connectivity can make life easier for users, it also opens up new avenues for cyber attacks.
One of Schwenke’s main findings was the immense amount of risk insurance companies take on when insuring IoT producers and consumers. Through his research at W&M he uncovered a study by Hewlett Packard that found seven in ten IoT devices contain vulnerabilities that can be exploited by hackers.
In theory, the pervasiveness of the internet makes daily tasks such as buying groceries or doing the laundry easier, but with more convenience comes more hazards. In 2019, it’s not just laptops and phones that are at risk – even refrigerators and washing machines may be targeted by hackers.
Why would a hacker want to crack into a home appliance? They probably aren’t interested in the expiration date of the milk in someone else’s fridge. Rather, cracking into a fridge can tell them the sort of food a homeowner eats by accessing the barcodes it has scanned. From there, a hacker can infer income level based on the price of the items – and therefore whether the home is a prime target for a burglary.
Once they’ve targeted a house, Schwenke wrote, a savvy hacker could then figure out the best time to break in to the home by first breaking in to its smart thermostat. In order to save money, the coding that controls the thermostat may not prompt the air conditioning to run when no one is home. Hackers may notice daily cooling patterns and determine when the homeowner is unlikely to be home, and Schwenke discovered this scheme by searching through Swem’s online vaults.
During his research he uncovered an expectation that more than 26 billion smart-home devices will connect to the internet by 2020, and in the next five years companies will invest about $6 trillion in such devices.
The very appliances and applications that make a home more comfortable may also make it more vulnerable.
Moreover, the IoT permeates “production lines and warehouses to retail delivery and store shelving,” Schwenke wrote. Even the infrastructure of entire cities depend on the IoT, which is something that has not gone unnoticed by foreign countries.
“Gone are the days when serious damage was only done with things such as bombs and soldiers on the ground; the replacement is cyber warfare, where people can cause serious harm thousands of miles away, or right down the street, without anyone really noticing what has happened until after the damage is done,” Schwenke wrote in his essay. “With the introduction of IoT technology, the risk of a powerful cyber attack is exponentially greater because of its connective power between devices and the people’s lives who own them.”
In 2017, a cyber attack on Equifax cost the company more than $4 billion, and their insurance did not cover the entirety of their losses. Their insurers, in turn, were only partially covered by their reinsurers. Schwenke used this attack to highlight the dangers the insurance industry faces when handling IoT and cyber risks.
“Cyber is a huge exposure for the industry and it’s a very difficult one to accurately assess,” IRUA Executive Director Jerry Wallis said. “Luke’s essay is totally broad in scope, and he did a very good job of explaining and highlighting potential areas where cyber could impact the insurance and reinsurance industry.”
After laying out the risks posed by IoT devices, Schwenke’s essay provided context and guidance to insurers and reinsurance providers. He said accurately assessing the level of risk and determining optimal policies will be critical tasks for insurers and reinsurers – one that could either cost or save them billions of dollars.
He advised insurance companies to hire IoT and technology experts to illuminate the risks they face, or offer extensive training courses on the topic to their employees. They will also need to successfully navigate increasing regulation and frequency of cyber attacks, Schwenke said.
Schwenke added that insurers should work directly with tech developers to gain a better understanding of security mechanisms of new products and devices – thereby enabling them to better quantify the risk.
“Insurance and reinsurance companies will have to create more policies and invent coverage variations that do not yet exist to cover a wider range of risks since a one-size-fits-all policy will not work," Schwenke wrote in his conclusion. “Awareness of the challenges of IoT, coupled with the optimism of its power and benefits, will bring a wealth of success to the (re)insurance industry as it enters the new mainstream of contemporary business.”
Powered by Undergraduate Research
According to Wallis, Schwenke’s essay was chosen unanimously by the IRUA’s Scholarship Committee, which is composed of representatives from seven IRUA member companies.
“His essay definitely stood out as being very relevant and topical, very well presented and well written,” Wallis said. “It was an excellent production,” adding that Schwenke’s essay will be used as an example in the upcoming year’s contest entry guidelines.
Schwenke wrote his essay in the summer of 2018 while interning in Richmond for the Markel Corporation, a holding company for insurance, reinsurance and investment operations. He competed against interns from other companies that, like Markel, are members of the IRUA.
“I definitely felt like I had some sort of advantage over the other participants in the contest because I knew the skills I had learned from William & Mary helped keep me on track to finish a research paper that showcased my abilities,” Schwenke said.
Contest participants were prompted to write a 10-to-20 page research essay about an insurance or reinsurance topic that has the potential to impact the industry. While searching for a topic, Schwenke reviewed first-place essays from past years in order to uncover a winning formula. One essay discussed cryptocurrency, another explained insuring autonomous cars and a third tackled blockchain data. Picking up on a pattern, Schwenke sought a topic in the field of emerging technologies.
“I actually didn’t know what IoT was before researching it, but it sounded really interesting,” Schwenke said. “Everything is connected to the internet and we’re seeing it more and more. I figured I would have a lot to write about.”
Before he could start writing, Schwenke needed to find sources to fill out his paper. He said he turned to Swem Library’s online database named Primo to conduct his research because he was confident he would find credible and relevant information in peer-reviewed journals.
“That’s where I got all of my sources, pretty much,” Schwenke said. “Swem’s databases are great. That was a lifesaver. At first I did not have a concrete direction or argument for the paper but after finding some sources, the paper began to take shape.”
Science Librarian Kristy Borda called Primo the Google of library resources because it contains all of Swem’s physical and electronic holdings, news and scholarly articles, dissertations and more. It is available to everyone with an internet connection and an affiliation with W&M.
“We see students as producers, not just consumers, of scholarly information, and so we provide support at every stage of the research lifecycle,” Borda said. “The libraries are always seeking to empower student researchers.”
Schwenke said the most important research skill he has developed at W&M is the ability to sort through sources and filter the ones that are most relevant. That skill came in handy, as Swem’s database lists nearly one million results for the search terms “Internet of Things.”
In addition to sorting through sources, he also consulted Assistant Professor of Computer Science Adwait Nadkarni, who specializes in the study of IoT. Schwenke never enrolled in Nadkarni's classes, but he approached the professor with several questions about IoT, such as the risks posed by the technology and the role insurance companies will play as the technology continues to grow. The pair spoke over the phone and Nadkarni was quoted in the winning essay.
Nadkarni also framed IoT concepts in terms that are identifiable to people without his expertise. For example, he compared insurance policies for IoT to those purchased by airlines. While plane crashes are very rare, airlines still pay hefty insurance premiums because the few crashes that do occur are so expensive. Likewise, IoT hacks are uncommon but incredibly costly.
According to W&M Director of Undergraduate Research and Chancellor Professor of Biology Dan Cristol, more than 80 percent of W&M undergrads have a faculty-mentored research experience before they graduate.
"Undergraduate research takes many forms at William & Mary, from dozens of student co-authored articles published in scientific journals in the last year to the student-curated art show currently in the Muscarelle Museum,” Cristol said. “Luke's accomplishment is a perfect example of how our ambitious students can achieve at the highest level when they combine the vast information resources on campus with the support of faculty who really care about undergraduates."