Opinion: How to fix an internet of broken things
The recent cyberattack that crippled much of the web last week took advantage of vulnerabilities in home products connected to the internet. Fixing those flaws is possible but it requires public action and industry cooperation.
—The massive distributed denial of service, or DDoS, attack that paralyzed much of the web last week focused a bright spotlight on insecurities in the so-called Internet of Things.
That attack took advantage of rampant insecurities in gadgets such as web cams, which were corralled into a vast botnet that unleashed the DDoS on the tech company Dyn, which provides a core piece of internet infrastructure. (Click here to find out everything you need to know about the botnet.)
While the rise of smart products holds the promise to revolutionize business and society, the burning question now is whether security can scale alongside the fast pace of innovation. The market for internet-connected devices is growing so quickly that Samsung recently announced that all of its products would be connected to the Internet by 2020.
There's a way of developing connected gadgets that aren't easily susceptible to outside attack, that have more security protections, and are designed with security in mind. But it'll take more pressure on industry to make sure that happens.
First, we need more cooperation amongst stakeholders including information sharing within defined boundaries, along with graduated sanctions being in place for rule breakers. The auto industry Information Sharing and Analysis Center (ISAC) is one example of this approach that should be replicated in other IoT sectors.
Second, we should set standards for IoT devices. One model is the National Institute for Standards and Technology's (NIST) Cybersecurity Framework, along with its work on Cyber-Physical Systems. Over time, these standards could help establish a standard of IoT cybersecurity care, including new approaches to proactive cybersecurity measures.
Third, for the time being policymakers should push flexible, guidance-driven frameworks, not prescriptive regulation. Still, a range of policy options are available to incentivize cybersecurity investments, from tax breaks to public bug bounty programs.
In particular, more attention should be paid to the intersection of IoT and the need to secure supply chains. Since IT systems control everything from phones to factories, ensuring these systems are secure is of vital importance to the global economy. Yet this is a daunting proposition given varying sources of insecurity, from malicious – a 2012 Microsoft report found malware being installed in PCs at factories in China – to conflicting commercial incentives, such as Lenovo’s installation of advertising software that weaken security in 2015.
Fourth, IoT providers should be encouraged to undertake good governance best practices, which can be accomplished by effective monitoring of IoT peers and an active role for civil society in shaming outliers. The power of supply chains could be brought to bear to help encourage the dissemination of best practices, such as firms requiring NIST Cybersecurity Framework compliance from their suppliers, along with mandating the ability to do software updates for IoT devices. Similarly, an active dialogue between public and private sector supply chain governance is needed.
Fifth, government should be willing to allow industry to react to data breaches without overly broad, harsh or punitive fines, except in egregious circumstances as has begun to be defined in the US context through recent Federal Trade Commission litigation.
More broadly, policymakers can consider a range of policy options to enhance cybersecurity ranging from the manageable (offering grants to establish a nationwide network of cybersecurity clinics geared toward serving under-resourced stakeholders such as local governments and school corporations) to potentially helpful but politically challenging (national data breach notification that includes "reasonable" cybersecurity practices along with product recalls for insecure devices). And other questions loom, such as whether or not the FBI or another agency should be allowed to hack a botnet to stop these sorts of IoT-enabled cyber operations.
Already, the European Union is taking some steps in this direction with the Network Information Security (NIS) Directive, which, among other things, calls for a standard of cybersecurity for all businesses based upon risk management, information sharing and breach reporting between EU Member States, and multistakeholder participation in coordinated responses to cyberthreats.
We’ve come a long way since Kevin Ashton first used the expression "Internet of Things" as the title of a presentation he gave for Proctor & Gamble in 1999. The promise of networked smart devices is finally being realized, but in order to avoid the same litany of cyberattacks and data breaches we've seen in other contexts it's vital to adopt proactive policies that help drive the evolution of effective and secure IoT governance before cyber insecurity becomes replete in the Internet of Everything.
Scott Shackelford is an associate professor at the Indiana University Kelley School of Business where he teaches cybersecurity law and policy. He is the director of the Ostrom Workshop’s Program on Cybersecurity and Internet Governance, a Research Fellow at the Harvard Kennedy School’s Belfer Center for Science and International Affairs, and a senior fellow at the Center for Applied Cybersecurity Research. This article was adapted from When Toasters Attack: 5 Steps to Improve the Security of Things, which was published by Cyber Magazine.