Cybersecurity risks with the internet of things

December 20, 2017 |

Legislatures, and courts, being slow to fill gaps in the law is hardly a news story.  And it is axiomatic that there is legislative inertia in the face of new technologies. The history of road rules for motor vehicles is a classic example.  But the inertia and failure to respond to the threat of cyber attack has been a protracted and sad story of public policy failure.  Hacking, phishing, spoofing and any number of attacking a network has existed as long as the internet has been publicly accessible.  Protecting against that has been ad hoc and generally the responsibility of individuals, organisations and agencies.  Sometimes that has been adequate but usually not.  Setting and regulating standards is better than it was but still woefully inadequate.  Particularly the regulating bit.  As a result there is now generally dismal privacy culture.  All the while the development of devices interconnected to the internet has grown expeditiously. The focus with these devices and the apps that often go with them is to get the product to market.  Security is usually an afterthought and usually rudimentary given most of the expense has been in product development and manufacture.  The result for the economy is growing cyber security threats and a lack of preparedness to protect against that risk. It has been like watching a car crash in frame by frame slow motion.

The Wall Street Journal in The Cybersecurity Risks From the Internet of Things brings that issue into sharp relief.  An interview with John Carlin highlights the dangers and the lack of preparedness to meet the challenges of the Internet of Things along with enjoying its benefits. It makes for sober reading.

The article provides:

Former Justice Department official John Carlin says smarter devices bring increased risks, and the world isn’t ready

How do you secure “smart” devices that are constantly connected to the internet and sharing data? That is a question many cybersecurity experts are wrestling with as the Internet of Things takes off.

John Carlin, chairman of the global risk and crisis management group at Morrison & Foerster LLP and a former assistant attorney general in the national security division of the U.S. Justice Department, sat down with Wall Street Journal reporter Cat Zakrzewski to discuss what needs to be done to keep connected devices safe. Edited excerpts follow.

MS. ZAKRZEWSKI: You’ve been on the front lines of this as the Internet of Things has grown in recent years. At the Justice Department, you were involved in creating a team that worked across agencies to assess this threat. So first, could you talk about what threat the Internet of Things poses to companies today?

MR. CARLIN: If you think about it, over a roughly 25-year period, we moved almost everything we value from analog space to digital space, and then we connected it using a protocol that was never designed with security in mind.

And what you see is that when we’re thinking about how to stop future threats, we’re playing a game of catch-up. Across the board, we didn’t properly calculate the price of risk in making the decision to move all of this information and connect it through this insecure medium.

With the Internet of Things, we are on the cusp of a massive exponential increase in new devices that can cause immediate loss of life or serious injury that are going be connected through this same insecure protocol. What we can’t do or shouldn’t do is make the same mistake again of discounting risk before we make this societal transformation.

The move from a car with a driver to a driverless car, for example, is going to bring significant changes to our society and the way we move goods and services. In government, we didn’t think of trucking as something that could fundamentally disrupt society. But if all of those trucks are connected, you can disrupt it on scale.

So we’re right on the cusp of this transformation and we aren’t prepared. We don’t have regulation in place. We don’t have education in place or voluntary adoption of standards to think through how we could build in security by design.

MS. ZAKRZEWSKI: What things occurred during your time at the Justice Department that really put pressure on the government to focus more on Internet-of-Things security?

MR. CARLIN: One was, we started working with automobile regulators who realized they didn’t really have a finely tailored regulation that addressed automobile safety when it came to cybersecurity risk.

We saw this proof-of-concept hack that many of you are familiar with, where a reporter and a hacker showed that you could get in through the entertainment system to the core braking and steering system of [certain Jeep Cherokees].

It was a relatively easy hack to do. This led to a discussion, “Well, what do you do about it? If this was a seat-belt malfunction or a brake malfunction, it’s clear what you would do.” So they used a regulation that really was designed for that type of safety flaw to cause the first recall of its kind of 1.4 million Jeeps, saying this essentially was a design flaw. That sent a wake-up call to that particular sector.

We also watched as terrorist groups began using a Western innovation—social media—against us. What everyone remembers about [North Korea’s hack of Sony] is that they took salacious emails inside the system and used third-party sites to distribute them through social media. That then gets picked up by the mainstream media, which is what harms the brand.

We were thinking, “We don’t want to miss again the way a new technology or a big change in the sector could affect our national security. And we need to be as creative as the bad guys, nation-states, terrorists and crooks and how they might use this technology and properly plan for that risk.”

And the third item is we saw what one terrorist could do with one truck in Nice, France. And we started to think about what would happen if by doing a hack they could turn a whole series of trucks at once into weapons.

That combination of thoughts led us to think that we needed to start working across government, because this is an area that is a hodgepodge right now of different regulators with different concerns, setting different standards.

MS. ZAKRZEWSKI: What were some of the general guidelines that you came up with for companies across sectors manufacturing connected devices?

MR. CARLIN: I think this is a real current gap actually. Whether it’s done voluntarily or through a statute or regulation, there are different ways you can approach it. But one at a minimum would be to say, “Here’s the standard that you ought to follow.” And then combine that with a certification process.

The first digitally connected pacemaker was rolled out, put into people’s bodies. It worked as designed [in terms of getting] data that would be helpful to doctors. But it didn’t have security by design, so a 12-year-old could hack it using publicly available software. After realizing that, and after it has been placed in people’s hearts, a patch was rolled out. That’s a problem.

MS. ZAKRZEWSKI: At what point do we say guidelines aren’t enough, and move toward the government taking a more active role in requiring companies to think about this from the start?

MR. CARLIN: I’ve been chairing a group for the Aspen Institute to come up with policy recommendations. As part of that, I interviewed the current cyber czar at the White House, Rob Joyce, a couple of times and asked him where the current administration is on this.

He said that what they are trying to do now is work through industry groups to get voluntary adoption of standards. But if it doesn’t work, we might need to move toward more direct action.

The problem is, there are startups that have every incentive to get to market and scale quickly, and then worry about brand or security later. I’m not sure how you address that without some type of requirement.

MS. ZAKRZEWSKI: How do you think the Internet-of-Things security threat might evolve next year?

MR. CARLIN: It’s going to get worse before it gets better. Even very sophisticated companies are just beginning to really integrate the focus on security into the design of products. So absent quick action, I think it will get worse at least in the short term.


One Response to “Cybersecurity risks with the internet of things”

  1. Cybersecurity risks with the internet of things | Australian Law Blogs

    […] Cybersecurity risks with the internet of things […]

Leave a Reply