We Need to Rethink Connected Security
More than a few experts have described IoT security—or perhaps, more accurately, the lack of it—as an impending catastrophe. In Bruce Schneier’s most recent book, Click Here to Kill Everybody, the cybersecurity guru outlines the risks of connected devices, from baby monitors and drones to connected cars and automated stock-trading systems. At some point, and perhaps in the not-too-distant future, we could see deadly results. Perhaps a Cyber-9/11.
The message isn’t particularly new. Alarms have been going off for the last few years. Researchers, hackers, and attackers have consistently demonstrated that connected devices lack basic security protections. In some cases, it’s a vulnerability in the firmware or OS. In other cases, there’s a problem with the network or wireless protocols. In a hyperconnected world there are many ways to exploit devices.
At the heart of the problem is an inability, or perhaps a lack of desire, to focus on security from the beginning and bake it into devices and systems. An August 2018 study, commissioned by the IoT Security Foundation, reported that only 9.7 percent of companies with IoT products have a public disclosure policy that allows researchers to probe known vulnerabilities. The remaining 90.3 percent prefer to keep known problems under wraps.
This mentality must change, and integrators and resellers have a central role in reshaping it by pressuring manufacturers to engineer devices with better security. The current state of apathy is leading society down a very dangerous path. Will the next stage of ransomware revolve around paying $5,000 or $100,000 in bitcoin to regain control of a connected thermostat that operates an HVAC system? What happens if cyberthieves take control of pacemakers implanted inside people?
If industry doesn’t address the problem, government will. In August, California became the first state to pass a law addressing security for connected devices. It will go into effect on January 1, 2020. The new law mandates that manufacturers of any IoT device equip it with “reasonable” security features. It covers issues such as authentication and device use, modification, and destruction.
As everyone knows by now, what happens in California doesn’t stay in California. The state, which yields enormous power (it represents 14 percent of U.S. GDP), typically serves as a catalyst for change. The coming law, while intentionally vague, will likely ignite similar bills nationwide.
On the upside, making device manufacturers responsible for IoT security is a giant step forward. On the downside, different states with different laws and regulations could prove frustrating, perhaps even nightmarish, for manufacturers and integrators.
Where do we go from here? We all need to change our mindset from manufacturing and integrating systems with a “we will deal with cybersecurity when problems occur” approach to “we will address cybersecurity at the very beginning and focus on it holistically.” Unfortunately, the marketplace rewards speed and profits much more than security. But all of that may come crashing down if and when banking or smart city systems collapse, or when we’re forced to cough up ransoms to toast our bread or drive our car.
Samuel Greengard is a business and technology writer based in West Linn, Ore. He is the author of The Internet of Things (MIT Press, 2015).