WHY IoT IS A FRIGHTENING SECURITY PROPOSITION
In the leadup to the 2008 financial crisis, Wall Street bankers combined huge tranches of terrible home loans (most wrapped in AAA ratings) from greedy and unsupervised loan agencies and sold them off to giant investors like pension funds and university endowments. The big Wall Street entities realized that these that these loans were going bad, so they got them off their books as quickly as possible by selling them to unwitting investors. The fallout cost the U.S. economy $22 trillion, 12 million jobs and $9.1 billion in homeowner paper wealth. Oh, and it almost took down the entire world financial system. Taxpayers took the hit also provided the money for the massive bailouts for the banks. Nobody went to jail or had to plead wrongdoing.
There were many hotly debated lessons of the 2008 financial crisis, and a couple of them are relevant to the topic of IoT and Security. First, mortgage loan companies and banks were doing what they were created to do – make money. They were operating under a system that didn’t police, or felt that it was fine for companies to police themselves. Second, the oversight created to reign in this type of risky behavior was too fragmented and lacked the power and knowledge to do enforce much of anything. Third, this massive problem that caused havoc in the world’s financial systems was created by making thousands of small and questionable decisions that reached critical mass.
I am not saying that IoT will create a world financial crisis. But, I do believe that what happened in 2008 stands as a cautionary tale as government and technologists attempt to navigate the way toward secure IoT. In many ways, the American people have no choice but to trust our largest private, public and government institutions – that they are working to profit and protect us in reasonable, ethical ways. IoT is a stark example that with huge opportunity comes big-time risk. Why?
It has become relatively easy to protect our computers and phones, as there are thousands of developers working at the few producers of these products to solve a lot of the same problems. When problems arise, updates with patches can be quickly distributed. But that ecosystem does not exist for IoT devices, which are physical devices with embedded systems, or some combination of hardware and software. A potential IoT device is anything from a baby monitor to a voting booth to an electrical grid, your smart TV, FitBit, refrigerator and your new car.
Bruce Schneier, CTO at IBM Resilient and Special Advisor to IBM Security does a great job of explaining this in his talk at RSA 2017. He describes IoT as a clash between two paradigms. Paradigm A, he calls “The World Of Dangerous Things”. These are things like planes, cars, buildings and medical devices that live in the highly regulated world of codes, standards and oversight because these “things” have to be built correctly because the cost of a fix is so high – think of a car recall. Paradigm B is the freewheeling world of software based on speed, agility and creativity. Both the cost of failure and the fix is low. IoT is the combination of these two worlds and there is no oversight, company to company agreements, standards or blueprints, and no governmental agency tasked with regulating this massive industry.
This is where my 2008 financial crisis example comes in. If a hacker breaks into a hospital and steals health records, that’s bad. Patients have to deal with privacy concerns, and the hospital might have to pay a Ransomware demand, plus a hit to their reputation and a healthy fine. But with IoT, we’re talking about a hacker taking down a power grid, or using your TV to record your conversations, or commandeering your self-driving car, or shutting down your office building. All of these have been done and are more on the harmless side of potential problems. In the future, remotely crashing an airplane, swinging an election, or somebody shutting down your pacemaker are very real possibilities.
The concept of IoT is simple – everything is becoming a computer. So naturally, securing these devices will impact every aspect of our lives. Schneier is right when he says that an IoT device “senses, thinks and acts……this is the classic definition of a robot.”
Our Internet Security problems are serious, but not nearly as serious as they are going to be. Currently, we handle these problems with hundreds of vendors pitching different variations of solutions, and we hire Security people for thousands of different companies, each with unique security problems based on product, size and scale. I’ve got serious concerns about applying our current solutions to IoT. The lack of focus on secure software, massively complicated connections and the huge vulnerabilities in networks and computers are problems that will not be solved on a self-policing, individual company scale.
We need collaborative agreement and action between technologists and government. I think we need dedicated government oversight that actually works. Ethical technologists should be deeply involved so we don’t curtail innovation, but we also need to have sober conversations about data and connectivity. Alarmist? Hopefully not, but I believe this issue to be important enough for the American people that it should receive the full attention of our brightest minds in tech and government.