The market, not government regulation, will push IoT security to a higher standard, says John Ellis of Ellis & Associates.
Information security professionals still reeling from the latest megabreaches could soon face even bigger problems as demand drives the Internet of Things (IoT) global long before the inevitable competitive shakeout can drive insecure devices from the market.
That's the view of several veteran cybersecurity specialists and attorneys with whom we spoke. The consensus is that in the anything-goes IoT environment, diligent security efforts by major industrial enterprises are undercut by low-cost manufacturers and old-school factory bosses who lack the IT experience to ensure that their internet-connected devices meet even rudimentary cybesecurity requirements.
Eventually, the market, not government regulation, will push IoT security to a higher level, says John Ellis, managing director of Chicago-based Ellis & Associates, a technology firm focusing on IoT in the automotive and other industries.
“We don't have the necessary frameworks in place to allow us to determine our destiny,” says Ellis. As IoT devices generate vast amounts of information, users may assume that IoT data is forgotten when, in fact, it is being funneled into data analytics operations run by vendors or third parties, he adds.
The need to secure internet-connected non-IT devices is not a new issue, of course. Since the 1990s, the U.S. government and private industries – such as defense and energy – have worked to secure critical infrastructure, an effort that gained a new urgency following the Sept. 11, 2001 terrorist attacks. This older internet of – very big and important – things remains a major focus for the Department of Homeland Security, as well as the U.S. Armed Forces and intelligence agencies.
Steve Brumer, partner, 151 Advisors
Marcus Christian, partner, Mayer Brown
John Ellis, managing director, Ellis & Associates
Juanita Koilpillai, CEO, Waverley Labs
Isaac Porche, engineer, RAND Corp.
Thomas Smedinghoff, attorney, Locke Lorde
Of course, the cybersecurity resources and methods allocated to defend the Los Alamos National Laboratory aren't easily mapped onto a camera-equipped refrigerator that tracks your food and uses your home router to ping you with a shopping list. On the contrary, countless IoT devices are rolling out of factories with little more than a chip and a Wi-Fi card that can easily compromise privacy and physical security in the home.
Thus, in 2014, a survey by HP found that 70 percent of IoT devices were unsecure. “ A couple of security concerns on a single device, such as a mobile phone, can quickly turn to 50 or 60 concerns when considering multiple IoT devices in an interconnected home or business,” the report concludes. Another study, by IDC, predicted that by the end of 2016, some 90 percent of IoT devices will have suffered a breach, even if they are considered “inconveniences.”
The lack of IoT security was one of the reasons an anonymous computer engineer in Europe launched a popular Twitter account, dubbed IoS – with the “s” standing for an earthy expletive.
What's more, the wave of IoT data generated by everything from home motion sensors to industrial-scale HVAC equipment poses other concerns over privacy – not just protection from hackers, but businesses that are amassing and mining that data to gain a competitive edge.
“There is a big problem with data analytics,” says Steve Brumer (right), an Atlanta-based partner at the consulting group 151 Advisors. “Do I own the data from my car or my Nest [home environmental control] unit?” What's more, smart TVs, from companies like Samsung and LG, route all internet traffic through their domains. “Does that mean they can see everything?”
Whether or not TV makers are using the IoT to play Big Brother, there are plenty of Big Data efforts underway to harvest IoT output and make it profitable. For one, MongoDB, the developer of the popular open source NoSQL database, is positioning itself as a platform for IoT development for those who seek to turn IoT data into a marketing tool.
But a loss of privacy – now commonplace in megabreaches – is only one kind of potential harm from the IoT, says Thomas Smedinghoff an attorney with the Chicago-based law firm Locke Lorde. “The other kind is property damage or personal injury, as when someone hacks into my thermostat,” says Smedinghoff. “My pipes freeze and I have major damage. Or, you hack into my car and cause an accident.”
The law has tended to come down more severely in cases of personal injury, adds Smedinghoff, who spoke on IoT issues at an American Bar Association meeting in March.
“But with IoT, we are at the very beginning of that whole process,” Smedinghoff says. “There is, at one level, the reasonableness standard. If I am selling you an IoT device, what is that device designed to do, and what did I do relative to the risk? What kind of risks does the device raise?”