Why IoT security is now a government issue
The cyber community is seeing an increase in dialogue between legislators and companies developing IoT devices about the need for regulatory oversight and whether government intervention to secure IoT is needed — or should be feared. Here is a list of six questions that are at the forefront of the debate:
What is government’s role in securing the internet of things?
Government cannot solve the entire problem, so it first needs to understand its role and make the most of it. This means it needs to work strategically and top-down, starting with assuring that the whole system is secured. Call it a “systemic strategy.”
The government needs to identify and protect systems with a cyber-shield — rather than the piecemeal, element-by-element approach that Capitol Hill is discussing.
Government also has an important role when it comes to convening and leading forums to establish best practices for the creation of a secured ecosystem, including infrastructure frameworks that contain IoT within them.
If there’s one thing government can do better than industry, it is to assemble the best brains and talent in the country, from a cross-section of disciplines — software, hardware, manufacturing, AI — to focus their expertise on the challenges we face and to ask the right questions.
Another role government can play is to be the national educator — this will put pressure on vendors to start investing more on the security side of their devices.
Should the cyber community put pressure on lawmakers to legislate data security standards, best practices and processes, or is this a step too far?
This is the $64,000 question. Wisdom and long-range thinking are required here. There is a risk to published standards, because these standards are essentially an instruction manual for attackers in how to avoid detection. We want our “defenders” to innovative and think outside of the box — recognizing that attacks are changing constantly. Top-down standards create a dangerous “check the box” mentality.
That said, if done prudently, best practices and processes should be able to balance the need for cyber-creativity within a rules-based framework that the public can trust. So, no strict standards, but generally accepted best practices and processes should be legislated.
Does IoT need more consumer protection?
Consumers need to have faith in the products and services they buy, whether that is a mortgage, a computer software or a pacemaker. Not every product needs the same level of protection, and not every attacker is after the same thing. I don’t think anyone would disagree that the “cyber murder” — as in accelerating an IoT-connected pacemaker — requires the most sophisticated security we have to offer.
As IoT evolves, and if attackers start to target IoT devices with increasing frequency, then of course more consumer protection will be called for. But I believe that if the industry proactively and effectively addresses the security challenges it faces, then IoT will develop comparable security protection to other internet-connected devices. So, reasonable concern is appropriate, hysteria about IoT teddy bears attacking kids isn’t.
Which IoT devices are the most vulnerable to attack?
General speaking it is the cheaper ones. Because the manufacturers of low-cost IoT devices would rather create new hardware models than patch existing ones. It may seem counterintuitive, but patching can cost more.
Without patches, these devices become more and more exploitable. Vulnerabilities will eventually be discovered and exploited in any IoT device — it’s just a matter of time. So the question really becomes how often vendors are willing to release and update the software with security patches.
Also keep in mind that consumer IoT devices which include audio and/or video functionalities will be more attractive for attackers. That makes sense for a number of reasons, including human nature: It’s interesting to hear and see what is going on in other houses, and this can lead to ransom attacks, as well as industrial and national espionage.
Why are smart homes so vulnerable and what should consumers be aware of?
The smarter your home is, the more vulnerable it is. That’s because each and every IoT control point becomes a potential entry point for attackers. If your house was a business, we would designate each of those as nodes “business critical.” So your threat surface widens as you add smart speakers, doorbells and so on. But unlike businesses, homes don’t typically deploy advanced cybersecurity protections.
Meanwhile, your audio and video camera devices can be used for not just benign privacy violations, but for malignant violations such as ransom and espionage, as I mentioned before.
It’s important to point out that the goal for a frictionless smart home is interoperability. If your refrigerator, doorbell and teapot operate on different systems, that’s painful. But the ultimate consumer experience — interoperability, automation and simplicity — is the ultimate playground for attackers because it widens the cyber-attack surface, making the network more attractive to attacks.
IoT vendors know they cannot succeed without supporting a frictionless, interoperable environment. They will always make that a priority over everything else — including security. This puts a lot of pressure on security vendors to innovate technologies that will allow the IoT industry to grow without exposing consumers to undue risks.
Can we trust the IoT industry to continue improving cybersecurity features?
For the reasons I mentioned above, at this point we cannot, because security is simply not aligned with the business interests.
The industry will need some combination of government pressure, consumer awareness and probably a major event that the media can latch on to — “Cyberattackers take over smart refrigerator; man goes into beer withdrawal and rushed to hospital” — to make security a priority.
Security is currently not aligned with the manufacturer’s business priorities. They will need to feel some kind of a pressure from the government, which will make it a business issue for them. A pressure can start with just making the consumers more aware to the risks.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.