I have called for the creation of public-private partnerships that can store and analyze cyber incidents to determine what happened. Human behavior clearly plays a significant role in these incidents and we need to understand that behavior and how to modify it in a scientifically valid manner because the attackers are very good scientists. They build models of how the world works and they incorporate feedback as to whether their techniques are working. We need to have the same sort of savvy.
Myth #4: Software security that works for IT will work for IoT.
On one level, this is not a myth. For instance, the IEEE Cybersecurity Initiative recently published a paper, “Avoiding the Top Ten Software Security Design Flaws,” and it’s certainly applicable to IoT, though by its stated scope it’s not comprehensive. The paper is useful for IT and/or IoT software design in that its chapters discuss fundamental concepts such as “earn or give, but never assume trust,” “use an authentication mechanism that cannot be bypassed or tampered with,” “authorize after you authenticate,” etc.
On another level, however, I think one of the challenges for IoT – to cite just one example – is that some traditional, desktop security strategies probably aren’t going to work well. What does it mean to patch software in IoT? Certainly, in the industrial control system domain technology is fielded for decades; that gear doesn’t get a software patch every month. So practices that are becoming efficient for desktop computing and for traditional IT infrastructure may not be relevant to IoT.
Perhaps the biggest challenge I see with IoT is scale. We’re going to deal with an IT infrastructure – a networked infrastructure that connects countless entities, devices and systems. We’ve never fathomed that before. What are the dynamics, driven by scale? We’ve certainly seen the dynamics of scale evolve in the Internet, where value creation and threats morph over time as the Internet itself undergoes orders of magnitude of change.
With, say, 1,000 people on the Internet, we have one set of dynamics. With a million, it’s a different set. When it’s a billion or a trillion? We’ll be stepping into a world we haven’t experienced before, that we haven’t engineered for. The Internet and computing technologies are really the only places where decade over decade we continue to see an order of magnitude change. What other domain becomes 10 times more efficient or 10 times more capable than it was the previous decade? IoT appears to be such an animal.
Myth #5: IoT cybersecurity is a challenge the private sector can meet alone.
The private sector will have to make its own decisions about security and privacy. Yet I’d expect the private sector to help facilitate an information exchange that contributes to the public good. Individual companies may not be motivated to care about the public good without guidance from public policy. We’ve done this in the United States, for instance, by creating the Federal Aviation Administration, the National Transportation Safety Board and other organizations that analyze events and promulgate rules to protect the public.
That said, I’m not in favor of security by decree. We need a more flexible model that allows secure information sharing for scientific, security event analysis, and access to the validated guidelines that emerge for avoiding future events. It’s really about creating and routing that feedback signal of what’s working and what’s not working so that researchers, enterprises and users of IoT can make informed decisions.
Policymakers need to be well-informed about the issues and willing to devote a measure of our collective resources to meet this challenge. But top-down unvalidated rules in this environment haven’t proven effective. Policymakers need to respond to public concerns on Internet and IoT security and privacy. How do we improve that conversation? These security and privacy concerns are affecting people today on a personal level, a business level and on a national-security level. There aren’t many subjects that run that whole gamut. We’re entering new territory.
I’d like to end on an optimistic yet speculative note. I’m sure there was a time 100 years ago when parents assumed that serious childhood illness were common and normal, there wasn’t much you could do about it. Children would often die of polio, smallpox. Well, we beat those afflictions. I think there’s evidence in other areas that circumstances can change pretty dramatically. They take time and focused effort. So I’ll speculate that that will be the case with IoT security and privacy. We’ll figure out how to cope with these challenges.
Greg Shannon, PhD, chair, IEEE Cybersecurity Initiative, and chief scientist, CERT Division, Carnegie Mellon University Software Engineering Institute.
This story, "5 Myths (Debunked) About Security and Privacy for Internet of Things" was originally published by CSO.