Do IoT security risks require new legislation or will standards suffice?

SAN FRANCISCO -- While most of the attendees supported government regulation as a necessary part of taming the security threats raised by the internet of things, the experts on the panel titled "Internet of Insecurity: Can Industry Solve It or Is Regulation Required?" hashed out some of the details.

On the panel about IoT security risks were Bruce Schneier, CTO at IBM Resilient and special advisor to IBM Security, and Olaf Kolkman, chief internet technology officer for the Internet Society with moderator Craig Spiezle, executive director and president of the Online Trust Alliance.

"IoT is becoming a vector for abuse," Spiezle said at the start of the panel, and then he asked the audience whether self-regulation of IoT could work, and, by his count, "a solid 90%" of the audience responded that government regulation is a must -- but when he turned to Kolkman and asked whether industry can solve the IoT threat with self-regulation, Kolkman's response was "an unambivalent yes."

Kolkman and Spiezle spoke with SearchSecurity prior to the panel, and Kolkman said that "the internet of things is profoundly entering our life in many different ways that were completely unexpected. And that brings back a whole slew of problems that we've seen in the internet before. Your fridge manufacturer that used to sell fridges is now suddenly an IT company, and it doesn't have the background of the security considerations, speed of market and all those type[s] of things start to play and so we have an environment that is quickly overflowing with devices that measure our beings, our movements."

"That comes with security problems," he added. "That comes with privacy problems."

"About two years ago, the Online Trust Alliance started to look at the proliferation of devices, and in this rapid race to market and innovation [there is] a lot of promise for consumer benefits and business benefits," Spiezle said. "But we also find a lot of nontraditional market players coming to market. What we're very concerned about is not only the security and the privacy of the device when it's shipped, but are we thinking about the lifecycle issues of that device? And these devices may live beyond the first purchaser."

The big challenge, Spiezle said, was "how do we drive adoption? What are the incentives?"

The ability to patch devices to reduce IoT security risks is also very important. If, after a year, the vendor stops patching a device, it might not affect the usability of the device, "your light may stay on for years and years and years," Kolkman told SearchSecurity, but "if your lightbulb is used to stage an attack on infrastructure elsewhere -- a hospital or an electricity grid -- then there is an issue with that."

Spiezle said, "We had this conversation 10 years ago: Are you patching your PC?" But back then, if a PC crashed, it might mean losing a file. "That was something that impacted only you, or maybe your business." But now, "we're moving from internet security to physical safety, so the threat is shifting to the real world."

"This is important and it's not something we've talked about yet, but this is going to be the internet of sensors or surveillance," Schneier said near the end of the session, adding that "a lot of this data doesn't fall neatly under any of the privacy rules we have in the United States. Europe is really much more advanced."

Schneier pointed to the case of Vizio televisions that not only collected data, but did so without permission, and then sold it to third parties. That case "hinged on the fact not that they collected all this data, but that they lied about it in the license agreement you didn't read. If they'd just told the truth, nobody would have noticed and they'd be fine. And that's really the limit of our ability to regulate here. We have to look at the notice and consent, and whether the trade practices are unfair or deceptive. If they're not deceptive [and they say] 'this product maims your children, sorry,' that would be acceptable."

So what about the drone that's flying over Moscone Center this week? There's no notice, there's no consent -- because there can't be.

"It gets even worse when you can't do notice and consent," Schneier continued. "So what about the drone that's flying over Moscone Center this week? There's no notice, there's no consent -- because there can't be. Or the TV in your hotel room -- is that collecting data? I don't know."

"The notice and consent regime, which requires you to actually interact with it, purposely starts failing. And they fail all around the edges. So I think notice and consent disappears," Schneier added, pointing out that there are sensors everywhere, and noted that a babysitting company now requires its customers to disclose the presence and location of any sensors in their homes. "When I invite friends over to dinner, do I have to make them sign a waiver?"

In summation, Spiezle offered some suggestions for dealing with these IoT security risks, saying that "compliance is the minimum that you need to do." Schneier agreed, pointing out that "you won't go to jail if you do these things" to comply with regulations.

Alex Gantman, VP of product security engineering at Qualcomm, asked the last question of the panel, prefacing it by saying he was "one of the five" representatives of IoT device manufacturers, and also one of the few in the room who felt that industry self-regulation was sufficient.

"As a security engineer, I've never seen regulation actually being used to improve the security of a device; it's always used against improving the security level because we're already compliant, we don't need to do anything more." Instead of setting a floor for good practice, it sets a ceiling; adding regulation also brings in the lawyers, he said. "And you don't want lawyers designing the security of your product."

The key to compliance or regulation, Gantman said, is the ability to measure something -- so what can be measured to demonstrate compliance with regulations?

"I don't think we can talk about regulation versus no regulation; that ship has sailed. And now we're talking about smarter regulation versus stupider regulation," Schneier answered. "And it's our job to have these conversations, to come up with these documents, because otherwise they'll be written for us, and they won't be better because of it."