If it isn’t secure, it shouldn’t be allowed on the Internet. There, I said it.
The litany of increasingly menacing cyber hacks, breaches and blockages of 2016 casts a dark shadow on our collective rush to innovate. While not responsible for every new attack, the rise of the IoT has demonstrably fueled a heightened level of destructive capability for threat actors, and poor security implementation is the root cause.
There is no turning back the clock to a simpler time: IoT is the way of the future. But in manifesting that future, the focus has been on speed to market, cost minimization, and ease of use. All are admirable business goals, but as we’ve learned this past year, they’ve resulted in calamitous side effects when the basic and very elemental security processes get breezed over in the push to obtain them.
Yes, consumers want inexpensive, uncomplicated, and novel applications — those “plug and play” remote-control security cameras and baby monitors, automated utilities, programmable conveniences. And yes, companies respond to that demand seeking profit in the face of real-world market pressures. This generates tremendous innovation.
But when it comes at the cost of being able to do our jobs or access our news outlets or rely on our power grids or our emergency services or the privacy of our health records or bank accounts…need I go on? It’s time for everyone to take a deep breath and reconsider our IoT priorities.
There is an inherent tension between the notion of the Internet, which by design is made for sharing information far and wide, and IoT devices and solutions, which are increasingly “personal” and collect/use information that must be protected.
Unfortunately, IoT device manufacturers have tended to tilt toward the “Internet” side without seriously addressing the consequences of not securing the actual “things” they are selling. However, reasonable methodologies for ensuring IoT device and system security follow the same engineering best practices espoused in other manufacturing disciplines. There is really no excuse for poor security implementation. It’s just been easier and cheaper to push responsibility on to the next participant in the IoT chain. Ultimately, the onus of properly securing services or devices has fallen to the end user, who is usually ill-equipped to handle the job.
Too much focus on business-related risk?
Further, when they do advocate for improved IoT security, companies too often dwell on business-related risk: “You don’t want to be the next security scandal in the headlines. You’ll lose customers and face a host of legal and financial penalties that could threaten your business.”
That sort of thinking is actually quite shortsighted. IoT gives “the Internet hands and feet: the ability to directly affect the physical world,” according to cybersecurity guru Bruce Schneier.
In a recent op-ed, he wrote: “What used to be attacks against data and information have become attacks against flesh, steel, and concrete … The possibilities are pretty literally endless. The Internet of Things will allow for attacks we can’t even imagine.”
Considering the exploitable weaknesses already evident in recent examples of hackable cars and thermostats, it’s an understatement to say that the IoT ecosystem must take privacy and security more seriously. IoT manufacturers have a moral obligation to meet baseline security standards, enforce policies and procedures to prevent infiltration, provide means to detect inappropriate access to connected products, and minimize any potential damage caused by unauthorized access.
As Schneier points out, an unsecured IoT device or series of devices or systems can cause irreparable physical harm to individuals, groups, nations, and the world itself. Does anyone really want to be the device maker that facilitates the first IoT-caused injury or death?
Security is the categorical imperative of the IoT. Many companies have always understood this and have never abdicated their responsibilities. But that understanding needs to be made absolute. Security must be baked directly into every IoT solution; incorporated into the development process of all devices and systems and suppliers; normalized across every application.
All stakeholders need to be on a common ground — and education is the first step. Efforts like those of the Internet of Things Consortium (IoTC) Privacy and Security Committee seek to establish and disseminate guidelines for minimum viable products and policies to strengthen privacy and security.
There is no such thing as infallible security and there will always be people looking for ways to exploit and subvert IoT technologies. But we don’t have to make it so easy for them. From device manufacturers, to platform providers, to solutions suppliers of any kind dealing with IoT technology — all need to epitomize the security mindset.
If it isn’t secure, it shouldn’t be allowed on the Internet.
The author is the Chief Scientist and Technology Evangelist of Greenwave Systems. He is responsible for oversight of technology, architecture and innovation of their Axon platform. This article was produced in partnership with Greenwave Systems Inc.