In-brief: are public health initiatives the best model for securing the Internet of Things? David Bray, the CIO for the Federal Communications Commission thinks they may be.
One of the big challenges in securing the Internet of Things is how to adjust to the scale and diversity that the IoT brings. To put it simply: most of our security tools and processes were developed for a much smaller and more homogenous Internet – one of some billions of devices, most of them laptops, desktops, servers, routers, switches and – lately – mobile phones.
Get the New 2017 SANS Research Report on 'Threat Hunting' -- Written by experts from the SANS Institute, the survey reveals a number of interesting data points about the challenges and benefits of threat hunting.
As we’ve written here on many occasions, the IoT represents a break with that history. It simultaneously adds a whole host of new, previously unconnected endpoints to the ‘net – from wearables to connected infrastructure like roads and street lamps. At the same time, it bridges the air gap to a lot of legacy infrastructure: from building management and environmental controls to industrial control systems.
How does one police or, more appropriately, care for that kind of far-flung and diverse ecosystem? It’s an open question. But there are lots of ideas, and most of them look ‘outside the box’ of classical IT management for inspiration.
Add to that list the recent writings of Dr. David Bray, the CIO for the Federal Communications Commission. Over at Enterprisers Project, a CIO-focused news and information site, Dr. Bray has written what I think is a really interesting piece on security and Internet of Things. Among other things, he argues that the world may look to public health, rather than technology, as the solution for securing the Internet of Things.
Bray has some authority on the subject. He served as IT Chief for the Bioterrorism Preparedness and Response Program at the U.S. Centers for Disease Control from 2000 to 2005.
Securing the Internet of Things – like “curing disease” – is likely to be a long-term project that is never completely successful, he writes.
[You might also like: The Unbalanced Negative Externalities of Cyber Security]
“Public health exists because even with our best efforts, infectious disease outbreaks do occur in the real world, and we have to rapidly detect, respond, and help treat those effected,” he writes.
But, as in public health, securing the IoT may be a project in which small and seemingly insignificant acts – like hand washing, or using mosquito nets – can have a huge, beneficial impact. He argues for something like a “cyber public health approach” that is described as a “mashup of cyber personal hygiene and cyber epidemiology” (two disciplines that don’t currently exist, we should note.)
“If we think of the Internet as a series of digital ecosystems where participants need to assume some responsibility for making sure they’re doing their best to keep their Internet devices clean and secure – the digital equivalent of washing their hands – then we can also imagine the need for cyber epidemiology when individual hygiene is insufficient in preventing a mass ‘outbreak’ or individual infection,” Bray said.
Sounds good – but what does that look like, practically? That’s where things get a bit fuzzy. Bray, who has been traveling the globe to research this issue as an Eisenhower Fellow, said that international leaders in places like Taiwan and Australia that he has consulted with are mostly voluntary and rely on verbose sharing of (anonymous) information on emerging threats. Bray talks about a “real-time clearinghouse of voluntarily submitted data about the cyber ‘health’ of the Internet across multiple devices.”
This has an analog in public health, where officials at the state and federal level will report on outbreaks or even just instances of communicable diseases, and where there is clear protocol on how to respond to one-off instances, small outbreaks, larger outbreaks and epidemics.
What kind of data is shared? This is vague, but the article mentions “masked, de-identified data regarding abnormal behaviors they’re seeing on their firewalls, routers, and other devices.”
Importantly – this should be “voluntary,” Bray notes. Governments and cooperating organizations would take part in data submission in a “voluntary, open, opt-in model.” Done at scale and with the proper analysis, Bray believes that the collected information about outbreaks and malicious activity could allow responsible organizations to act early on emerging threats.
Bray isn’t the first to find a possible model for securing the IoT in the field of public health. Writing for this blog in May, Amit Mital of Symantec made a similar argument: that “our existing economic, cultural and legal incentives to online hygiene are inadequate” and that the problem will worsen as we migrate to the Internet of Things. “With 10- or 100 times as many connected devices, few of which look anything like the personal computers of the last 30 years, the threat surface is much larger.”
But Mital was skeptical of the applicability of public health models to a population as big and diverse as the Internet of Things. “IoT devices hardware and processing constraints make current endpoint protection models (“vaccination”) impossible,” Mital wrote. His solution: “security by design. To continue with our public health analogy, think about this as genetically engineered immunity instead of vaccination.”
The article on Bray is an interesting read. Check out more here: Why everyone must play a part in improving IoE privacy | The Enterprisers Project