How can we manage IoT risk?
- By Derek Major
- May 23, 2016
Even as the number of Internet-enabled devices flowing into the market seems unstoppable, policymakers debate government’s role in managing the risk they present.
Allan Friedman, director of cybersecurity initiatives in the Department of Commerce, said that there are still many unanswered questions about the risks related to the Internet of Things.
“How do we make sure the risk is managed? Whether it’s patching over time or making sure that you de-permission the previous user of a device, that’s something we have to figure out,” Friedman said at a panel on managing IoT risk hosted by the Center for Strategic and International Studies. “Another question is how do we make sure that devices are field upgradeable? And if they’re not, how do we communicate the risk back to the consumer that they’re buying it with no way to secure it?”
Even with the major tech or automotive manufacturers providing ample security for their products, it's difficult to ensure that all products are safe, said Melika Carroll, a policy advisor for Sen. Brian Schatz (D-Hawaii). “It’s the mom and pop shops connecting their products to the Internet that … may not know how to write code. You also have the end user who then implements the device at home,” she said. “So the risk is not just at the device, it’s at all levels.”
Nor is risk limited to consumers, Friedman added, noting that the State Department is very interested in the security behind Internet-enabled vehicles.
“They buy lots of cars, and in those cars they put very important people,” Friedman said. “So they’re very concerned about making sure the cars aren’t just resilient against something that a smart hobbyist can break but also some very determined bad guys can break.”
One way to bolster IoT security is through regulation.
Last year Sen. Edward Markey (D- Mass.) introduced a bill that would require makers of wireless access points on connected cars to conduct penetration testing and would call for car manufacturers or security vendors be able to detect and respond to hacking attempts in real time.
However, the nature of the IoT may be making sector-specific legislation moot.
“A lot of the technology companies are building across sectors -- aviation, healthcare and critical infrastructure.” Carroll said. “So how do you protect the right types of data and have a level playing field so that requirements are not impossible to implement?”
Brian Witten, a senior director with Symantec, acknowledged that hacks and vulnerabilities are becoming more prevalent, but he said he believes they will lead to security consensus from manufacturers and consumers.
“We see month by month increasing active exploitation of IoT devices; we see cars being stolen based on security mistakes in keyless ignition systems,” Witten said. “But my hope is that this will lead to more transparency on how much security is built into these things.”
Derek Major is a former reporter for GCN.