No Silver Bullet For Securing The Internet Of Things

On Wednesday we wrapped up the first-ever Security of Things Forum (SECoT) here in Boston, which was a great success. During a full day of talks and panel discussions, there was a lot of discussion – both on the stage and in the audience. Here are some (high level) take aways from the event:

The Internet of Things will be different – really different

The combination of technologies that we refer to as the Internet of Things is going to be transformative in ways that are profound. As I said in introductory comments: I see the net effect of this next phase of the Internet as being a leap forward, rather than incremental change – less “invention of the printing press” and more “invention of writing and counting systems.”

Securing the Internet of Things will be a massive effort - likely led by grass roots efforts within the technology community and affected verticals, according to experts at The Security of Things Forum on May 7.
Securing the Internet of Things will be a massive effort – likely led by grass roots efforts within the technology community and affected verticals, according to experts at The Security of Things Forum on May 7.

 

Like Internet v.1, the exact direction that the Internet of Things will take is unclear. What is clear is that it will create technologies, markets, ways of doing business and behaviors that we can scarcely imagine today. Along with those will come significant challenges in areas like privacy and security. As an example, I noted to one prominent reporter that, three decades ago, very few people even knew what a software vulnerability was. Today, finding them (let alone exploiting them) is a multi million (billion?) dollar business for good guys and bad guys alike. That notion would be pretty amazing to people even 15 years ago. So, roll forward, and think about the complexity of interactions in the Internet of Things (vs. the older Internet of computers) and you realize how big this challenge will be.

We heard lots of otherwise smart and knowledgeable people saying, in essence “we don’t know” when asked to describe the security issues that will follow from widespread adoption of IoT technologies.

And that’s the truth. One of the lessons of the last few years has been that the complexity of the interactions between traditional networks and a host of small, embedded and mobile computing devices make it difficult to see all the ways that you can be hurt. Just ask Target, which invested heavily in protecting its enterprise and retail IT infrastructure, but failed to an attack on a third-party HVAC contractor.

Our investors panel, which included representatives from Atlas Venture, Fairhaven Capital and .406 Ventures, agreed that the opportunity for novel security solutions to address the unique challenges of the IoT are there – and that verticals like critical infrastructure and healthcare are important, early test markets. But our investors – Jeff Fagnan, Rick Grinnell and Greg Dracon – were also in agreement that the runway for security startups is a long one, and that no security slam dunk yet exists in the IoT space.

Internet of Things technology makes us more resilient and more fragile

This was actually one of the big take aways (as I saw it) of Dr. Dan Geer’s keynote, which was one of the (many) highlights of Security of Things Forum.

Dr. Geer has always been a thoughtful and subtle observer of the security space. His day job advising the CIA on its technology investments is proof (if anyone needed it) that he’s one of the best in the business at separating the snakes from the snake oil. In his keynote, Geer noted that – as society becomes ever more dependent on technology, even mundane tasks and functions come to depend upon the Internet and constant connectivity – a kind of “distant digital perfection” that makes them smarter and easier to manage, but also more brittle. (Patrick Thibodeau over at Computerworld has a nice write-up of Geer’s talk here.)

Geer noted that our food supply, today, is intimately dependent on digital technology, including GPS and automated systems for running irrigation, sorting vegetables and feeding livestock. Our dependency on that technology is mostly taken for granted. Moreover, the interdependencies and connections between any of those technologies and other networks and systems are often overlooked – creating the potential for malicious acts and subversion, Geer said.

The cavalry is not coming (and I feel fine)

More than a few of our speakers stressed the notion that the security of the Internet of Things was really not going to fall to some external agent or actor to ensure. While federal, international or industry regulations could certainly help impose security standards and enshrine best practices, most speakers weren’t sanguine that we would see them soon – if ever.

Rishi Bhargava of McAfee used his talk to about Intel’s (front row seat) view of the coming IoT revolution. Bhargava said that while IoT applications were moving ahead at a rapid pace, security and privacy protections lagged. Talking about the retail space, Bhargava noted that Apple’s iBeacon technology (or competing technologies like it) would soon allow retailers to offer a personalized shopping experience to their customers (see also: Minority Report). However, that kind of offering requires a high bar for the privacy and security of the customer metadata that’s being used to make recommendations and suggestions in a retail environment. Despite that, regulations like the Payment Card Industry Data Security Standard are nowhere close to pulling that kind of technology under their regulatory umbrella – nor will they be any time soon, Bhargava warned.

To that end, Josh Corman, of Sonatype, talked about iamthecavalry.org, a grassroots effort to raise awareness among developers, technology, biotech and manufacturing firms of areas where computer security intersects with public safety and human life. Corman is among a group of individuals encouraging makers of medical devices, automobiles, home electronics and public infrastructure to do a better job of anticipating how their products might be attacked and abused after they are released.

In a morning panel Mark Stanislav, the security evangelist at Duo Security, made a similar pitch for Builditsecure.ly, a grass-roots effort to encourage those behind crowdfunded, small commercial and bootstrapped tech startups to implement security best practices in the design and development of their products.

We’d like to thank all those who attended our event, as well as all our sponsors: Cisco Systems, Intel Security, Duo Security, Atlas Venture, Fairhaven Capital, .406 Ventures, Mocana, Veracode and The Object Management Group for helping to make our first event such a success!

 

Comments are closed.