If there’s one thing that we’ve learned over the past few days since the Internet of Things (IoT) distributed-denial-of-service attack (DDoS) attack gave the Internet brain freeze last Friday is that (1) IoT devices are insecure, (2) we have a really good idea what needs to be done to make them more secure, yet (3) it’s hard to get everyone on the same page in dedicating the resources to actually make them more secure.
While that might seem like a stark truth, it only makes sense given how our economy and legal system works. Since no one company or device was responsible for allowing the attack, there’s no specific organization to shame or blame. Plus, it’s way too easy to point fingers at everyone else in the room and say there was nothing that could’ve been done, as everyone is responsible. Further, security costs money, and at the moment, companies want to pour their resources into grabbing IoT market share, not plugging holes that may or may not cause problems downstream. Unfortunately, this kind of thinking invites regulators and legislators to step in and attempt to dictate technology standards and best practices to address harms, both real and imagined.
In simpler times, we only worried about illicit eavesdropping on connected baby monitors and the specter of Internet-connected toys that allowed access to kids’ data that typical consumers assumed was secure. We’ve now found ourselves in a place where seemingly innocent connected security cameras and DVRs have become a vector for attacks on Twitter, Reddit, and Netflix – services most consumers would consider to be critical national infrastructure. An attack on the banking system is serious. Ruining Hill staffers’ plans for Friday-night Netflix and chill, however, is the surest way to guarantee a Congressional investigation that would put Iran/Contra and Benghazi to shame.
It doesn’t take a rocket surgeon to see that if the tech industry is to avoid industry-crippling regulation, it needs to man the battle stations immediately. Here’s what it can do:
- If improper use of an IoT technology can kill someone, drain their bank account, or broadcast them in their boxer shorts, it needs to implement strong, embedded security. Security and privacy is a trade-off between cost and risk: companies (should) invest more in security/privacy as the risk of harm goes up. As risk can never totally be eliminated – only mitigated – the issue now becomes how much security/privacy is too much? Can the failure of a device can lead to a user’s death, such as in a connected car or a pace maker? Then it should have strong embedded security onboard that allows it to send and receive encrypted data from trusted, authenticated sources to other trusted, authenticated sources without fear of capture, cloning or spoofing. Can improper use of the device ruin a consumer financially? Ditto. Can improper use of the device cause significant reputational harm or lead to the release of sensitive personally identifiable information? Double ditto. IoT architectures can be made more secure by implementing strong embedded security and privacy technologies into the device from the start. Don’t rely on software solutions; hardwire security in from the start.
- Develop a single framework. Lots of organizations have already stepped into the breach with their own trust frameworks that define industry norms for specific areas of practice, and even more are rushing forth to heed the siren call of IoT. Unfortunately, we’re reminded of the old saw, the great thing about standards is that there’s so many to choose from. There’s a real risk of balkanizing the IoT industry with the multiple frameworks out there covering duplicate and overlapping concerns. While each are useful in their own parochial way, industry must come together to identify the framework – or multiple frameworks working in series – that will cover the baseline security and privacy requirements of the IoT industry, as well as serving as a foundation for the highly-regulated industries that will incorporate IoT technologies: healthcare, financial services, transportation, children/education, and telecom.
- Now stick to that framework and evangelize it to the high heavens. The idea here is for companies both within and across industries to band together and take proactive measures to seek out, adopt and implement industry-accepted standards, best practices and methodologies that make products and services safer for consumers to use. This will go a long way to show consumers – and regulators – that they’re paying attention to their concerns, and that they’ve done something meaningful to address them. As one of the positive lessons learned from the days of Ma Bell, networks get exponentially more valuable when everyone gets on
- Get your third-party vendors to adopt your high standards or bid them adieu. IoT device makers rely heavily on third-party vendors to make their products work, store their customer’s data, and provide value to the relationship. IoT manufacturers need to ensure that the security and privacy controls their vendors use are proportionate to the risks involved. They need to be involved in all aspects of security and privacy planning while the product is being architected, to cover all the bases: design, testing, patching/maintenance, breach minimization and mitigation, and audits. If the vendors aren’t up to the task, it’s far better to find out about it before the product is architected, and not the day after an incident headlined in the Wall Street Journal.
- Tell the government if they really want to get involved in IoT, they can clear a path for those willing to do the right thing. There’s definitely a role for the government to get involved in helping determine which standards and best practices are working, but their real job should be to help figure out what the end-state should look like (i.e., strong privacy, security, and encryption) and incentivize its implementation. There should be a benefit to those who voluntarily attest to approved trust frameworks and get third-party assessor certification of adherence. For instance, policy-makers can implement a liability shift or safe harbor for those in compliance. Legislators can work with insurance underwriters to promote lower cybersecurity insurance rates for compliant companies. Regulators must differentiate between IoT devices that are inherently consumer-centric versus those are used solely in industrial settings, and treat them accordingly. Washington should work with our international partners to ensure foreign nation’s products adhere to our high standards in security and privacy. Lastly, the government should require that any device used by the Federal government or that connects to the Federal network must follow the recognized industry standards for security and privacy. This will help create a market for strong security and privacy practices, creating a race for the top.
Now that we’ve decided to connect everything in our lives to the Internet, it’s time industry steps up to ensure it doesn’t fall into the same traps it did when the Internet was first created: not fully thinking through privacy and security issues, and trying to bolt them on after the breaches hit and people have been irreparably harmed. Only by industry and government working together can we make a thriving market for IoT devices that protect consumers, empower American IoT device and service providers, and force those willing to cut corners to do the right thing – or get out of the business.