Stories‎ > ‎

When Toasters Attack: 5 Steps to Improve the Security of Things

posted Sep 8, 2016, 4:24 PM by Michael Lenart   [ updated Oct 19, 2016, 3:33 PM ]
By Scott Shackelford

There is a great deal of buzz surrounding the Internet of Things (IoT), which is the notion, simply put, that nearly everything not currently connected to the Internet from gym shorts to streetlights soon will be. The rise of “smart products” holds the promise to revolutionize business and society. Applications are seemingly endless. From 2013 to 2020, Microsoft has estimated that the number of Internet-enabled devices is expected to increase from 11 to 50 billion, though estimates vary with Morgan Stanley predicting 75 billion such devices in existence by 2020. [1] To substantiate the coming wave, Samsung recently announced that all of its products would be connected to the Internet by 2020. [2]


Photo credit: Scott Bedford/Shutterstock


Regardless of the final number, the end result of the IoT revolution looks to be a mind-boggling explosion in Internet-connected stuff. Yet the burning question is whether security can or will scale alongside this increasingly crowded field, or whether we will see a repeat of the late 1990s with products being rushed to market and attackers taking advantage of the resulting “technical debt.” [3] So far, there has been relatively little attention paid to how we should go about regulating smart devices, and still less about how cybersecurity should be enhanced within such a diverse ecosystem, particularly as it relates to supply chain concerns. This is the topic that a team of researchers and I have taken on in a new paper that applies groundbreaking polycentric governance models to the IoT and situates the U.S. debate with how other jurisdictions, including the EU, are tackling this issue. [4]


Long story short, we argue that a successful polycentric framework to enhance the Security of Things requires five general steps, as well as a number of IoT-specific initiatives. 


First, we need more cooperation amongst stakeholders including information sharing within defined boundaries, along with graduated sanctions for rule breakers. The recently announced automotive ISAC is an example of this approach that should be replicated in other IoT sectors. [5]


Second, active stakeholder participation in standards setting, such as through the National Institute for Standards and Technology’s new IoT Cybersecurity Framework, is vital to success. Over time, these standards could help establish a standard of IoT cybersecurity care [6], including new approaches to proactive cybersecurity measures. [7]

 

Third, for the time being policymakers should push flexible, guidance-driven frameworks, not prescriptive regulation. Still, a range of policy options is available to incentivize cybersecurity investments, from tax breaks to public bug bounty programs. [8] In particular, more attention should be paid to the intersection of IoT and the need to secure supply chains. Since IT systems control everything from phones to factories, ensuring these systems are secure is of vital importance to the global economy. Yet this is a daunting proposition given varying sources of insecurity, from malicious — a 2012 Microsoft report found malware being installed in PCs at factories in China [9] — to conflicting commercial incentives, such as Lenovo’s 2015 decision to install advertising software that weakens security.

 

Fourth, IoT providers should be encouraged to undertake good governance best practices, which can be accomplished by effective monitoring of IoT peers and an active role for civil society in shaming outliers. The power of supply chains could be brought to bear to help encourage the dissemination of best practices, such as firms requiring NIST Cybersecurity Framework compliance from their suppliers. [10] Similarly, an active dialogue between public and private sector supply chain governance is needed, potentially leveraging expertise from organizations like the Naval Surface Warfare Crane Division cutting-edge lab, which recently launched a partnership with nearby Indiana University. [11]


Photo credit: intercomputer.com


Fifth, government should be willing to allow industry to react to data breaches without overly broad, harsh or punitive fines, except in egregious circumstances as has begun to be defined in the U.S. through recent Federal Trade Commission (FTC) litigation.

 

More broadly, policymakers can consider a range of policy options to enhance cybersecurity ranging from the manageable (offering grants to establish a nationwide network of cybersecurity clinics geared toward serving under-resourced stakeholders such as local governments and school corporations) to potentially helpful but politically challenging (subsidized cyber risk insurance schemes). Already, the EU is taking some steps in this direction with the Network and Information Security (NIS) Directive, which, among other things, calls for a standard of cybersecurity for all businesses based upon risk management, information sharing and breach reporting between EU Member States, and multi-stakeholder participation in coordinated responses to cyber threats. [12]

 

Regarding more specific takeaways for managers, it is vital to build in proactive cybersecurity best practices from the inception of a new IoT product line. The lesson here is constant vigilance, i.e., letting an initial process of cybersecurity due diligence be the first, and not the last, word in an ongoing, comprehensive cybersecurity policy that promotes cyber resilience along with the best practices essential for battling the multifaceted cyber threat. Such a policy should be widely disseminated and regularly vetted as part of an overarching enterprise risk management process, along with having an incident response plan in place that includes private and public information sharing mechanisms.

 

These recommendations are in line with FTC guidance, as seen in the Wyndham settlement order [13], which should be considered the ground floor of compliance and be supplemented by the 2014 NIST Framework and NIST IoT Framework to check for governance gaps that may then be filled in by industry best practices. Concrete steps for retailers, for example, could include installing software to deactivate RFID tags after a pre-determined period of time so as to avoid consumer privacy concerns. Voluntary private-sector driven certification schemes could also be created to signal to customers as to those IoT companies that have taken such basic cybersecurity measures. [14]


Photo credit: securityintelligence.com


Globally, partnerships should be fostered to help engender and spread trust among increasing numbers of IoT participants. This is already happening to an extent in several cross-border collaborations such as the U.S.-EU Memorandum of Understanding on Cooperation surrounding eHealth/Health IT, which was designed to demonstrate a shared dedication to strengthening transatlantic cooperation in eHealth and Health Information Technologies. This model could be replicated in other IoT contexts. [15]


In many ways we’ve come a long way since Kevin Ashton first used the expression ‘Internet of Things’ as the title of a presentation he gave for Procter & Gamble in 1999. [16] The promise of networked smart devices is finally being realized, but in order to avoid the same litany of cyber attacks and data breaches we’ve seen in other contexts, it’s vital to adopt proactive policies that help drive the further evolution of effective IoT security governance- before cyber insecurity becomes replete in the Internet of Everything.



About the Author


Scott Shackelford is Associate Professor of Business Law and Ethics, Indiana University Kelley School of Business, where he teaches cybersecurity law and policy. He is the Director of the Ostrom Workshop’s Program on Cybersecurity and Internet Governance, a Research Fellow at the Harvard Kennedy School’s Belfer Center for Science and International Affairs, and a senior fellow at the Center for Applied Cybersecurity Research.






End Notes

[1] Danova, T. Business Insiderhttp://www.businessinsider.com/75-billion-devices-will-be-connected-to-the-internet-by-2020-2013-10#ixzz3i4CApJsg

[2] Metz, R. MIT Technology Reviewhttps://www.technologyreview.com/s/533941/ces-2015-the-internet-of-just-about-everything/

[3] OnTechnicalDebt. http://www.ontechnicaldebt.com

[4] Shackelford, S. et al. When Toasters Attack: A Polycentric Approach to Enhancing the ‘Security of Things’. http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2715799

[5] Auto Alliance. Auto-ISAC Announces Board of Directors. http://www.autoalliance.org/index.cfm?objectid=2A25D140-7826-11E5-997E000C296BA163

[6] Shackelford, S. et al. Toward a Global Cybersecurity Standard of Care? Exploring the Implications of the 2014 NIST Cybersecurity Frameworkon Shaping Reasonable National and International Cybersecurity Practices. http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2446631

[7] Craig, A., Shackelford S., & Hiller, J.S. Proactive Cybersecurity: A Comparative Industry and Regulatory Analysis. http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2573787

[8] Shackelford S., & Russell, S. Operationalizing Cybersecurity Due Diligence: A Transatlantic Comparative Case Study. http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2714529

[9] The Guardian. Malware being installed on computers in supply chain, warns Microsoft. https://www.theguardian.com/technology/2012/sep/14/malware-installed-computers-factories-microsoft

[10] The White House. FACT SHEET: White House Summit on Cybersecurity and Consumer Protection. https://www.whitehouse.gov/the-press-office/2015/02/13/fact-sheet-white-house-summit-cybersecurity-and-consumer-protection

[11] Indiana University. IU Center for Applied Cybersecurity Research, NSWC Crane to collaborate on cybersecurity. https://itnews.iu.edu/articles/2016/the-indiana-university-center-for-applied-cybersecurity-research-cacr,-naval-surface-warfare-center-crane-to-collaborate-on-cybersecurity.php

[12] The Register. The Network and Information Security Directive - who is in and who is out? http://www.theregister.co.uk/2016/01/07/the_network_and_information_security_directive_who_is_in_and_who_is_out/

[13] Federal Trade Commission. Wyndham Settles FTC Charges It Unfairly Placed Consumers' Payment Card Information at Risk. https://www.ftc.gov/news-events/press-releases/2015/12/wyndham-settles-ftc-charges-it-unfairly-placed-consumers-payment

[14] Inserra, D., & Bucci, S. Cyber Supply Chain Security: A Crucial Step Toward U.S. Security, Prosperity, and Freedom in Cyberspace. http://www.heritage.org/research/reports/2014/03/cyber-supply-chain-security-a-crucial-step-toward-us-security-prosperity-and-freedom-in-cyberspace

[15] European Commission. Memorandum of Understanding EU-US on eHealth. https://ec.europa.eu/digital-single-market/news/memorandum-understanding-eu-us-ehealth

[16] Ashton, K. RFID Journal. That 'Internet of Things' Thing. http://www.rfidjournal.com/articles/view?4986