Welcome to the Insecurity of Things
The rapid spread of intelligent devices connected by the Internet of Things poses the ultimate cybersecurity challenge.
The Internet and all its mixed blessings are currently in full flower with the Internet of Things (IoT). Online connectivity, once a mere matter of logging on through PCs, has given rise to hyperconnectivity. The potent combination of computer processors, communications and the economic dictates of Moore’s Law has made possible not only smart phones, netbooks, tablets and watches but also intelligent cars, utility meters, homes and appliances, vending machines and factories.
Gartner projected last fall that 6.4 billion “connected things” will be in use this year, 30 percent more than in 2015. The research firm forecast a total of 20.8 billion by 2020; others are estimating 30 billion to 50 billion. The excitement in technology and other sectors is understandably palpable. The ability to communicate remotely and apply massive data for analysis and decision making conjures visions of artificial-intelligence nirvana.
But for the hackers who constantly besiege and disturbingly often penetrate today’s cybersecurity defenses, the IoT represents the ultimate honeypot. Demonstrations of the vulnerability of driverless cars and electronic voting machines hardly instill confidence that IoT security is ready for prime time. Data security company Proofpoint in 2014 documented a botnet attack in which “more than 25 percent of the volume was sent by things that were not conventional laptops, desktop computers or mobile devices; instead, the e-mails were sent by everyday consumer gadgets such as compromised home-networking routers, connected multimedia centers, televisions and at least one refrigerator.”
Early this year threat detection company Vectra Networks showed how webcams can be commandeered as undetected backdoors into company databases. “These devices do not have the processing power or memory to run antivirus or other security software,” noted Vectra chief security officer Gunter Ollman.
The original architecture of the Internet, which grew out of U.S. Department of Defense research projects dating back to the 1960s, stressed collaboration and gave little regard to data security. An entire industry grew up to fill those gaps. What is known to some as the cybersecurity industrial complex has been effective but imperfect in dealing with agile and well-financed adversaries that appear increasingly to be state-sponsored.
Does the IoT amount to history repeating, a new Internet with infinitely more points of poorly protected access? Is there still time to get it right?
In a survey last year by the cybersecurity association ISACA, just 22 percent of 7,000 information and security technology professionals expressed confidence that they could control access to data generated by home-based IoT devices. “The Internet was built without security in mind — we bemoan that all the time,” Suzanne Spaulding, U.S. Department of Homeland Security undersecretary for the National Protection and Programs Directorate, said in San Francisco during the recent RSA Conference, a major gathering of cybersecurity professionals. She is optimistic, however, that the IoT’s “huge attack surface” provides “an opportunity to build this one right. Think about it as if we are building a new Internet, not just to make IoT secure, but in a way that makes the entire Internet secure.”
Cybersecurity innovators are indeed on the case. Companies like Mocana and Zentri are marketing integrated platforms for securing IoT networks. China’s Huawei, which has been a strong advocate of “secure IoT ecosystem” standards, wins praise from Steve Hanna of hardware maker Infineon Technologies and the standards-promoting Trusted Computing Group: “Huawei is doing it the right way the first time, by building security into IoT systems.”
“It is critical that security is built in from the floor up,” says Peter Galvin, vice president of marketing and strategy, Thales e-Security. The pressing question: Is the IoT floor too far along for security to be, as technologists like to say, baked in?
“Fortunately,” Galvin says, “there are well-developed tools and methodologies that can be employed to protect data, like well-implemented encryption or tokenization, coupled with careful attention to how the keys are protected.”
The quicker these solutions are put to the test, the better.