Opinion: Fortifying the Internet of Things means baking in security at the beginning
Protecting smart devices means building cybersecurity into the design process, from hardware to software. Making security a priority at the start, instead of coming up with patches later, is the key to ensuring the growing number of connected gadgets remain safe.
The rapid rise in Internet-connected gadgets has the potential to profoundly and positively affect our daily lives, from how we monitor home security to tracking medical devices.
But as the so-called Internet of Things brings about new developments in everything from health care to home care, it comes with a downside, too, as it opens up users to security vulnerabilities that did not previously exist.
Policymakers and legislators have entered the fray. The Federal Trade Commission recently released a report on the Internet of Things that contains guidelines to promote consumer privacy and security. And, last month, the Senate issued a report from the staff of Sen. Ed Markey (D) of Massachusetts that zeroed in on the vulnerabilities within Internet-connected cars. Both reports recognize that this emerging era when everything can be connected calls for crucial safeguards.
The Senate report, for instance, found that measures to protect against remote and unauthorized access of cars’ electronic operating systems are “inconsistent and haphazard” when looked at across the board. While the potential for harm is real, manufacturers’ understanding of the problem is still evolving. The upside is that some have recognized the need for prompt attention to the matter – such as BMW, which last month patched a cybersecurity flaw affecting more than 2 million vehicles. However, unless and until we address these gaps and shortcomings more systematically, as a nation, we will be doing ourselves a serious disservice and those who wish to do harm a potential big favor.
The crux of the problem is that our desire and ability to innovate has so far outpaced our commitment to embedding cybersecurity into the design process. The upshot is that even the most sophisticated entities have historically taken – and may still be taking – more risks than they should when conducting business using devices and networks constructed with parts that aren't secure.
While the concern is easy to grasp in the context of defense matters that underpin US national and economic security, it is important to appreciate the seriousness of the harm that may materialize in civilian context, too. Consider, for example, our critical infrastructures, such as our oil and gas facilities. Are we doing all that we can in the energy sector to design securely and to ward off intrusions? Or, is this sector (and others) at serious risk because the intellectual property that drives it was inadequately safeguarded from inception, vis-à-vis cyber-adversaries?
These same principles are at play when it comes to the devices that collectively constitute the Internet of Things, and the prognosis is equally poor.
Bear in mind that there is no shortage of actors who may wish to do us harm, from nation-states to terrorists and criminals. Against this background, a broad, concerted, and sustained effort to build in cybersecurity at the front end is needed, and it is needed now. Anything less amounts to repeating the same mistake, over and over, while expecting a different result.
Consider the potential consequences of compromise of our cars or even our home appliances. A hacked vehicle could result in loss of life or limb; and a compromised fridge (or smartphone) could serve as an entrée to manipulate other networked devices and data.
The good news is that the word is already spreading. Popular TV shows such as “24” and best-selling video games such as “Watch Dogs” are increasingly based on plots and premises that illustrate the point. On “24”, for example, viewers saw the portrayed US unmanned fleet hacked and attacks launched on London. And in “Watch Dogs”, the self-styled “antihero” roams the city, deciding which infrastructure (trains, traffic lights, communications systems, etc.) to hack. While this is fiction and fantasy, the game is grounded in the art of the possible.
The time to get serious is now. This means incorporating cybersecurity into the design process, from hardware to software to (forgive the jargon) the interface protocol level. Fortunately, there are plenty of creative ways to get to goal. But we must focus and dedicate the time, effort, and investment that are needed to forestall preventable harm.
One fairly easy fix would be for all Internet of Things devices to have shutoff modes that give users optional connectivity choices that default to off upon shipping, and self-patch themselves upon activation. Such is one way to keep unwanted intruders out. At the same time, it is crucial to do the strategic groundwork necessary to underpin smart national choices and actions.
For instance, it would be valuable for an entity like the National Academy of Engineering to analyze the tradeoffs between security and capability, in relation to the universe of devices that together make up the Internet of Things. Figuring out how to measure the balance between security and capability would help to integrate cybersecurity policy into the commercial design process in a scientific way. We need a better understanding of coming threats, too. And to ensure we're even prepared for the unexpected, we need to fund cybersecurity training efforts, particularly in relation to acquisition and secure design. All of that would go a long way toward improving our ability to manage and mitigate risk, and remain resilient and systems-go, even if attacked.
The bottom line is that you don’t truly have capability if you don’t have security. The case is all the more compelling because cybersecurity can and should be enhanced in an affordable manner that does not simply add costs to the end consumer. This could, in fact, be achieved by starting early in the design process and continuing through product testing.
Let’s act now. The FTC report is a good start, suggesting a range of best practices and recommendations for companies whose business intersects with, and bears upon, the Internet of Things. Its proposals include building security into devices at the front end, rather than retrofitting them later on; and training company employees so as to reinforce the importance of security-related matters.
These ideas dovetail well with our own arguments set out above and elsewhere; but more action, across a wider array of industry sectors – and even across borders – is urgently needed for policy to catch up with technology.
Michael L. Papay, Ph.D., is Northrop Grumman’s vice president and chief information security officer. Frank J. Cilluffo is director of the George Washington University Center for Cyber & Homeland Security (CCHS). Sharon L. Cardash is associate director of CCHS.