In-brief: progress on securing the Internet of Things requires makers and security experts to compromise and learn to work together, says Cisco’s Marc Blackmer.*
Pop trivia question: What was the year in which a technology reporter became a human guinea pig for two cybersecurity researchers demonstrating new kinds of vulnerabilities created by the Internet of Things? During this proof of concept, the researchers took control of the steering, brakes, horn, and more, of a car the reporter was driving. The year was:
d) all of the above
If you answered, c (2013), you’re absolutely correct. Here’s a bonus question:
Once the video of the proof of concept was made public, the response was:
a) an optional software update from the automaker for affected vehicle models
b) a mandatory recall of affected vehicles to address the demonstrated security holes
c) legislation mandating security audits of software that controls critical vehicle functions
If you answered d (crickets) you are (sadly) correct again.
Fast forward to 2015 when a nearly identical proof of concept test was conducted – this time wirelessly and on a vehicle driving on a freeway. This time around, the news lit up with stories of insecurities connected cars and, more broadly, on the Internet of Things. At long last, the public became concerned with connected vehicles. In short order, the car maker (Fiat Chrysler) recalled 1.4 million affected vehicles.
That’s a positive outcome. But it got me wondering, “Why did it take this dramatic display for any real action to happen?”
The great promise of the IoT is constantly balanced with the increased attack surface it introduces. The cybersecurity community and IoT device makers need to work hand-in-glove to address the threats. But the truth is that the market dynamics driving the Internet of Things don’t put a premium on security features – at least as compared with time to market.
[Read more Security Ledger coverage of Internet of Things here.]
Beyond that, the IoT means that many new industries and vendors entering the IoT market, many will be working with the security research community for the first time. There will be an inevitable learning curve, and we don’t have the luxury of time, so we need to reduce that curve, but how?
Jennifer Steffens is the CEO of IOActive, one of the companies involved in both the 2013 and 2015 proofs of concept. She wants manufacturers to understand that “…when a researcher is knocking on your door, he’s not the bad guy; the bad guy is exploiting that vulnerability without telling you,” whereas the good guys are there to tell you about it so you can fix it.
Making the relationship work is also the responsibility of the cybersecurity research community, Steffens said. “We [in the cybersecurity community] do a good job of talking with each other…but we need to think of the market we’re trying to reach and [speak] the language they speak.”
Translating the language of cybersecurity for others seems obvious, but it’s not easy. Why is cybersecurity so difficult? Dr. Matthew Cronin of George Mason University and his research colleagues at Georgetown University are trying to answer that very question. In short, he says, “It’s abstract… Economics is well-defined, for example, but cybersecurity isn’t there.”
Even the term ‘cybersecurity’ means different things to different people. The domain, itself, doesn’t have a definitive, centralized body of knowledge and has an established something of a ‘Wild West’ culture where structure is anathema. “But now the Wild West is too connected,” Cronin says. The cybersecurity community needs to recognize this and find a way to formalize its message to the non-security world. Security research teams can spend months working on a single project. When a vulnerability is discovered, the last step of the process is to disclose the findings to the manufacturer.
My colleague Rich Johnson is a cybersecurity research manager in Cisco’s Talos group. He is tasked with disclosing vulnerabilities Talos discovers to the affected manufacturers and authorities, and he is met with a wide range of responses from manufacturers – from gratitude to ambivalence. Johnson agrees that it’s key to explain vulnerabilities in a way that is relevant to the audience in order to motivate them to take action. For instance, an executive doesn’t need a technical explanation, but she does need to understand what potential liability her company may be exposed to if the vulnerability is not patched.
Successful cybersecurity has always required a group effort, and the IoT will make collaboration an absolute requirement. Collaboration has to start with understanding. Those manufacturers planning to enter the Internet of Things, big and small, must realize that professional security researchers have made it their personal mission to improve security for all of us and are a useful ally for manufacturers.
As for the security community, Steffens cautions patience. Industries can’t turn on a dime, but most companies and device makers want to do the right thing. “It’s not that they don’t want to be secure; sometimes they just don’t know how to start…”
That’s where we all come in.
Marc Blackmer is a Product Marketing Manager for Industry Solutions at Cisco Systems.
(*) This article has been modified. The first option on the survey question regarding the researchers was changed to “2001” from “2015.” Also, the sentence regarding Mr. Johnson was altered to say that manufacturers’ responses ranged from “ingratitude to ambivalence,” not “ingratitude to resentment.” PFR 11/12/2015.