Anyone who knows me will hear me whine that no one takes IT Security seriously enough. The main reason is that there is no teeth in laws that cover breaches. That leads to organizations pinching pennies. Here is an article by Bruce Schneier that lays out the case. Will I stop whining — not yet.
Bruce Schneier: You want real IoT security? Have Uncle Sam start putting boots to asses. Infosec’s cool uncle says to hell with the carrot
Any sort of lasting security standard in IoT devices may only happen if governments start doling out stiff penalties.
So said author and computer security guru Bruce Schneier, who argued during a panel discussion at the Aspen Cyber Summit this week that without regulation, there is little hope the companies hooking their products up to the internet will implement proper security protections.
“Looking at every other industry, we don’t get security unless it is done by the government,” Schneier said.
“I challenge you to find an industry in the last 100 years that has improved security without being told [to do so] by the government.”
Schneier went on to point out that, as it stands, companies have little reason to implement safeguards into their products, while consumers aren’t interested in reading up about appliance vendors’ security policies.
“I don’t think it is going to be the market,” Schneier argued. “I don’t think people are going to say I’m going to choose my refrigerator based on the number of unwanted features that are in the device.”
Schneier is not alone in his assessment either. Fellow panellist Johnson & Johnson CISO Marene Allison noted that manufacturers have nothing akin to a bill of materials for their IP stacks, so even if customers want to know how their products and data are secured, they’re left in the dark.
“Most of the stuff out there, even as a security professional, I have to ask myself, what do they mean?” Allison said.
That isn’t to say that this is simply a matter of manufacturers being careless. Even if vendors want to do right by data security, a number of logistical hurdles will arise both short and long term.
Allison and Schneier agreed that simply trying to port over the data security policies and practices from the IT sector won’t work, thanks to the dramatically different time scales that both industrial and consumer IoT appliances tend to have.
“Manufacturers do not change all the IT out every five years,” Allison noted. “You are looking at a factory having a 25- to 45-year lifespan.”
Support will also be an issue for IoT appliances, many of which go decades between replacement.
“The lifespan for consumer goods is much more than our phones and computers, this is a very different way of maintaining lifecycle,” Schneier said.
“We have no way of maintaining consumer software for 40 years.”
Ultimately, addressing the IoT security question may need to be spearheaded by the government, but, as the panelists noted, any long-term solution will require a shift in culture and perception from manufacturers, retailers and consumers.