In the ever connected society in which we find ourselves today, how much do we consider IoT security? The number of connected devices are surging and will continue to do so, therefore has the time come for governments to start regulating the internet of things (IoT) security? Well, Bruce Schneier, CTO of IBM’s Resilient Systems thinks so… Making a case at the recent SecTor security conference, Schneier discussed the need for increased regulatory oversight for software and IoT.
In his keynote, Schneier addressed that today everything is basically a computer, whether it’s a car, a watch, a phone or a television. IoT has several functions, including sensors that collect data, computing power to figure out what to do with the collected data and actuators that affect the real world.
“Sensors are the eyes and ears of the internet, actuators are the hands and feet of the internet, and the stuff in the middle is the brain,” Schneier said. “We’re creating an internet that senses, thinks and acts—that’s the classical definition of a robot.
“We’re building a robot the size of the world, and most people don’t even realise it”
Essentially, internet security is now becoming ‘everything’ security, according to Schneier. As such, he noted that computer security expertise is now needed in the auto industry because cars are now computers and all the lessons of the cyber-world are applicable everywhere.
“Availability and integrity threats are important as real risks to life and property now,” he affirmed. “So now vulnerabilities have very different consequences. There is a difference between when a hacker crashes a computer and you lose your data and when a hacker hacks your car and then you lose your life.”
In Schneier’s view, many of the existing security paradigms fail in the new world of IoT. Whereas traditional software firms and big mobile vendors like Apple and Google have dedicated security teams, the same is not always true for IoT vendors. As such, Schneier said that IoT devices are often not patched quickly, if at all.
“A home DVR could have been part of the Mirai botnet, and likely most people just don’t care so long as the device works,” Schneier said. “Defending against Mirai is hard because it’s not just dropping a patch on Windows and making it go away.”
The challenge of cyber-security cannot be effectively solved by industry alone, according to Schneier. Instead, he advocated for government involvement to help regulate technology security. As internet connected devices move into regulated industries, Schneier expects that computer software that has largely been regulation-free will need to change. There are also historical precedents for new technology usage leading to new government agencies and regulations. For example, the emergence of cars, airplanes, radio and television have all led to government agencies and regulation.
Additionally, Schneier said there is a need to have a counter-balancing force for corporate power.
“Government is how we solve problems like this,” said Schneier.
Schneier expects that there will be a lot of issues that will need to debated and resolved about connected technology regulations, but in his view there really isn’t a better alternative to ensuring cyber-security safety than government regulations. That said, the predominate reason for his address at SecTor was to help raise awareness and get cyber-security professionals engaged in government policy conversations.
“As technologists, we need to get involved in policy, since IoT brings enormous potential and enormous risks,” Schneier said. “As internet security becomes everything security, all security has strong technological components.
“We’ll never get policy right if policy makers get technology wrong.”