“We’re building a robot the size of the world, and most people don’t even realize it.” This is how Bruce Schneier described the Internet of Things in a nutshell.
At present, there are more than 8 billion connected devices or “things”. That number is projected to shoot up to 20 billion devices by 2020. Sitting alongside these exciting statistics are some scary numbers. According to researchers, in the ten largest US cities alone there are over 178 million IoT devices that lack basic security features and are visible to attackers.
The “things” in our Internet of Things are frighteningly exposed. This fact was demonstrated in 2016 when the Mirai botnet disrupted the internet of millions of people in the U.S, as well as affecting service for internet users in Germany and the U.K.
So, why isn’t there more discussion about IoT hacks outside of the cybersecurity community? While the headlines are dominated by news of cyberattacks on retailers, there’s been surprisingly little buzz about this huge threat to what’s increasingly becoming the Internet of Everything.
The answer is simple: We tend not to pay much attention to things until they impede our day-to-day life. When it comes to botnets like Mirai, user devices weren’t hacked to disrupt their owners. Instead, Mirai used these hacked devices to gain enough computing power to launch a distributed denial-of-service attack on Dyn which supports the internet access of millions of Americans.
People aren’t too worried about their vulnerable devices, so long as those vulnerabilities don’t shut down their device (in the case of ransomware) or steal their sensitive information (the way a computer hack can).
This attitude won’t work for long. In the popular imagination, the Internet of Things is a fun network of webcams, smart TVs, and wearables like your Fitbit that evokes fond feelings about The Jetsons. But as IoT technology creeps into more critical machinery in the real-world (i.e. automobiles, medical devices), privacy impacts are multiplying and virtual threats become physical threats.
Consider these examples from just one industry – in 2017, the U.S. Food and Drug Administration issued a recall of 500,000 St. Jude Medical pacemakers after MedSec discovered that the device’s subpar cybersecurity protections left it vulnerable to hackers. In 2016, Johnson & Johnson warned patients about a security vulnerability in its insulin pumps.
The difference between someone remotely accessing your Fitbit and someone remotely accessing your pacemaker is a matter of life and death.
We are no longer having a niche discussion about cybersecurity.
We should be having a discussion about security and people safety.
Aren’t there regulations in place to guarantee that Internet of Things devices are safe?
The thought of someone with nefarious intent accessing a life-critical device like a pacemaker is horrifying enough for one to exclaim, “Aren’t there regulations to protect us?”
There should be, but all we have at the moment is a potpourri of guidelines and frameworks. I’m tracking more than 60 of them. In an ideal world, these separate guidelines would coalesce into one cohesive, user-friendly set of global standards that companies could use to build and maintain safe devices.
But it’s easier said than done for a couple of reasons.
For starters, IoT security is new enough to be fairly complicated. Developing these guidelines takes time and expertise, and then there’s the issue of actually making existing guidelines comprehensible to a large number of people. At present, it’s unlikely that in-house network administrators even have the specialized knowledge to evaluate the security of their enterprise’s IoT devices, requiring them to bring in outside specialists.
If technologists themselves face such an IoT security learning curve, imagine how daunting the topic must appear to lawmakers. And these are the lawmakers who have only recently started addressing cybersecurity in general.
Then there’s the issue of our own impatience, or perhaps more fairly, our collective thirst for innovation. As Mike Gillespie put it, “At the moment, IoT is driven by the desire to innovate on the part of developers and functional need on behalf of the buyers.”
There are so many devices being produced, and such a demand for these devices, that it’s grown difficult to keep up.
To regulate or self-regulate: Where do we stand on IoT security regulations?
There are quite a few Internet of Things security guidelines available from different organizations. While there isn’t yet a framework that has attained the status of global standard, experts, bloggers, and IoT enthusiasts frequently cite some more than others. Few that I’d highlight:
|IoT Security Document||Organization||Publication Year|
|Baseline Security Recommendations for IoT||European Union Agency for Network and Information Security (ENISA)||2017|
|Security and Privacy Controls for Information Systems and Organizations||National Institute of Standards and Technology (NIST)||2017|
|Internet of Things Security Guideline||IoT Alliance Australia (IoTAA)||2017|
|Strategic Principles for Securing the Internet of Things||U.S. Department of Homeland Security||2016|
|IoT Security Guidelines and Assessment||GSMA||2016|
|IoT Security Compliance Framework||Internet of Things Security Foundation||2016|
|Industrial Internet Security Framework||The Industrial Internet Consortium||2016|
Table: Internet of Things Security Guidelines and Frameworks
So, why doesn’t a government somewhere evaluate these frameworks, consult with experts, and draft regulations?
First off, there’s hesitation to regulate the IoT industry to avoid stifling innovation.
Opponents of government regulation point to the software industry which they say managed to work security into its products through trial and error. They believe device manufacturers will figure it out in time because their long-term success depends on it.
There’s also the issue of enforcement. Governments need to be able – and willing – to enforce IoT security regulations. And before governments can even think about enforcement, they need to agree on the specificity and extent of the standards. Will companies have to follow a handful of basic guidelines, or will they be legally obligated to take a comprehensive, security-by-design approach?
Proponents of self-regulation argue that companies will be more than happy to adopt a global IoT standard, if only to gain a recognized accreditation that will make them more trustworthy in the eyes of consumers.
Proponents of government regulation are skeptical of the power of corporate motivation. As Bruce Schneier explains, the market can’t solve IoT security on its own because markets are driven by short-term profit making
But if there’s one thing everyone agrees on, it’s the need for some sort of global standard to adopt. Ideally, industry leaders will come together to create the framework our growing internet of things desperately needs. The successful development and adoption of this network depends on it.
Originally published on Ivezic.com on December 3, 2017.