Nobody in the IT industry would argue that the Internet of Things (IoT) is becoming more secure. Pretty much the opposite.
But not for lack of effort. There have been multiple, ongoing initiatives over the past decade, both public and private. There have been dire warnings, publication of various standards and best practices, technology improvements, legislation to encourage threat information sharing and exhortations from government agencies, congressional committees, security firms and conference speakers.
Unfortunately, none of them has worked very well so far.
In spite of some of the best minds and technology improvements in the world focused on it, most of the IoT’s billions and billions of connected devices remain catastrophically insecure, lacking what experts call the most basic “security hygiene.” The flaws include hard-coded credentials, simple and default user names and passwords and the lack of any way to patch or update exploitable vulnerabilities.
Why else would Taiwan-based D-Link and it’s US partner D-Link Systems be a target of a recent lawsuit by the Federal Trade Commission (FTC) that alleges basic security flaws like that in its routers and Internet cameras?
Why else would one of the major themes of the upcoming RSA conference be focused on the issue?
So, perhaps the way to kick start what everybody but criminals, terrorists and tyrannical regimes says they want is the old-fashioned way: An aggressive increase in lawsuits against developers and makers of the billions of devices that comprise the IoT. The threat of crippling sanctions, fines or liability damages are usually enough to get the attention of the C-suite.
Certainly there is a need for something that will at least tip the security balance in favor of the good guys.
Last fall’s Distributed Denial of Service (DDoS) attack on Internet Domain Name Service (DNS) provider Dyn was just the most high-profile recent example – a stark illustration of how easily a botnet of IoT devices could be enlisted to take down something as crucial as a portion of the internet backbone.
That and many other attacks have prompted some recent high-profile calls for more aggressive government involvement in regulating the IoT. Last November, Bruce Schneier, CTO of Resilient Systems (recently acquired by IBM); Kevin Fu, CEO of Virta Labs and a professor at the University of Michigan; and Dale Drew, CSO of Level3 Communications, an internet backbone provider, told the House Committee on Energy and Commerce about why that the private sector won’t solve the problem. Schneier called it, “a fundamental market failure.”
Sen. Mark Warner (D-Va.) sent a letter, after the Dyn attack, to the FTC, Federal Communications Commission (FCC) and a division of Homeland Security, asking if it would be possible to keep insecure devices off the internet by denying them IP addresses.
Sign up for CIO Asia eNewsletters.