SAN FRANCISCO -- Gartner estimates 6.4 billion Internet-connected devices will be in use this year; by 2020, the number skyrockets to 21 billion. Unless the companies that make these interconnected devices overhaul their information security practices and incorporate them into development processes earlier, IoT will be DOA.
The warning was issued at the RSA Conference 2016 in San Francisco from a panel of Internet of Things security experts: Eric Hibbard, CTO for security and privacy at Hitachi Data Systems Corp.; Nithan Sannappa, senior attorney for the Federal Trade Commission's (FTC) privacy and identity protection division; and Jay Brudz, chair of the information governance and e-discovery group at law firm Drinker Biddle & Reath LLP, based in Philadelphia.
"Where it's scary from the security perspective is the massive scale. We're already, as security professionals, struggling to just deal with [existing IoT devices], but when you look at putting out a thousand times more of these kinds of things, which will be just as smart in 2020 -- that's a little worrisome," Hibbard said.
Part of the problem, he said, is many IoT manufacturers are new to the computer and networking space, and have never operated in this space before. Combine that with the current dearth of IoT security standards, and you've got a recipe for half-baked security.
"We're looking at three or four years out before standardizations start arriving. The legal community will weigh in on this early, which will be a wake-up call to some of the manufacturers and solution providers building this house of cards," Hibbard said.
Brudz agreed, pointing out that a lot of IoT vendors operate under the startup mentality: pushing out a minimum viable product that they can sell and make money from fast -- a process that does not seem to involve incorporating security functionality, or very little of it, in Brudz's view. "It's a lot more about what code to write ... about launching it and then fixing it later," he said.
The FTC's Sannappa concurred, saying while the IoT consumer product space is pretty new, past enforcement cases concerning IoT security failures echo mistakes the agency has seen companies make in network, software and mobile security.
"We see common themes like ... not doing security architecture and design reviews, not doing penetration testing, not having processes in place that address vulnerability reports from outside researchers," he said.
Sannappa has also seen companies not providing consumers with the pertinent information they need to make purchasing decisions -- or, after being warned by the FTC about security failures, refusing to take the necessary actions to fix them until the product has reached consumers.
He pointed to a recent FTC settlement with computer hardware maker Asus regarding its faulty routers. The routers were riddled with common, well-known vulnerabilities that the company was warned about, but failed to secure them before selling the products to customers, instead marketing them as being equipped with security features that would protect users from unauthorized access and viruses.
Guidance on IoT security
The place to start on IoT security protocol is to look at past FTC enforcement actions and cases to come up with what not to do -- and best practices for a reasonable information security program, Sannappa said.
One cardinal rule is that IoT security is not a once-and-done thing.
"We've spoken with companies about [being specific regarding] the update path for their devices. ... We're trying to make sure companies are supporting clients and customers until a reasonable end of life, or at least providing them with pertinent information," he said.
Hibbard, whose company is involved in smart cities initiatives worldwide, agreed, adding that it's important to understand the damage lax security can do -- to your company and the industry -- and address IoT security early. Hibbard said he has seen firsthand how a lot of players in the space do not consider security as a competitive advantage.
"If you're thinking about buying or making IoT, offshoring it to an APAC region, make no assumptions that they're going to know anything about security. You won't be able to retrofit it, so if you want it, order upfront," he said.
Brudz also warned IoT makers to capture the security steps they have taken.
"Show your work," he added. "You need ... to make sure you're properly documenting processes that you went through; you want to make sure you get credit later. You don't want to say to the FTC that you don't have the records."
CIO news roundup for week of Feb. 29
RSA Conference 2016 goers had plenty of security news to chew on this week:
- Apple got a leg up this week: On Monday, a New York federal judge ruled that the U.S. government could not use the All Writs Act of 1789 to force Apple to unlock an iPhone in connection with a drug case. This development could help the tech giant in its dispute with the FBI, which revolves around whether Apple is legally required, under the All Writs Act, to create new software that would help the FBI access data in the San Bernardino shooter's phone.
- The Pentagon is taking further steps to address the growing cybersecurity gap. Defense Secretary Ash Carter launched a nationwide appeal to American tech companies and military facilities, beginning in Seattle, asking for their help to "build and rebuild bridges" to local communities, as well as to draw technology talent to join the Defense Department. The Pentagon also launched a competition, called "Hack the Pentagon," which offers private citizens a chance to hack the Defense Department's public websites.
- Remember the attack on Ukraine's power system two months ago? Turns out the power blackout was caused by a cyberattack -- the first of its kind, according to senior U.S. officials. They said attackers worked remotely to conduct extensive monitoring of the power grid's networks, steal system operators' credentials, switch breakers and leave more than 225,000 Ukrainians without power. The investigation is still undergoing.
- The IRS is having more security troubles. Last year's IRS data breach, which the agency originally said affected 100,000 people and later changed that number to 334,000, is now saying the actual number of stolen records was 724,000. That's not all. In order to protect breach victims from further fraud, the IRS provided them with identity protection PINs, or secret codes taxpayers must put on their tax returns or they will not be accepted by the IRS. The clincher: The system that secures the process of retrieving PINs is the same system the hackers had broken into in their original breach.
More RSA Conference 2016 coverage:
Apple made 'goofs' in FBI controversy
U.S. Cyber Command chief asks for private sector cooperation
The nuanced debate of government encryption backdoors