Opinion: How to fix an internet of broken things
The massive distributed denial of service, or DDoS, attack that paralyzed much of the web last week focused a bright spotlight on insecurities in the so-called Internet of Things.
That attack took advantage of rampant insecurities in gadgets such as web cams, which were corralled into a vast botnet that unleashed the DDoS on the tech company Dyn, which provides a core piece of internet infrastructure. (Click here to find out everything you need to know about the botnet.)聽
While the rise of smart products holds the promise to revolutionize business and society, the burning question now is whether security can scale alongside the fast pace of innovation. The market for internet-connected devices is growing so quickly that聽Samsung recently聽听迟丑补迟听补濒濒听of its products would be connected to the Internet by 2020.聽
There's a way of developing connected gadgets that aren't easily聽susceptible to outside attack, that have more security protections, and are designed with security in mind. But it'll take more pressure on industry to make sure that happens.聽
First, we need more cooperation amongst stakeholders including information sharing within defined boundaries, along with graduated sanctions being in place for rule breakers. The 聽(ISAC)聽is one example of this approach that should be replicated in other IoT sectors.聽
Second, we should set standards for IoT devices. One model is the聽National Institute for Standards and Technology's (NIST) , along with its work on Systems. Over time, these standards could help establish a聽, including new approaches to聽听尘别补蝉耻谤别蝉.
Third, for the time being policymakers should push flexible, guidance-driven frameworks, not prescriptive regulation. Still, a range of聽聽are available to incentivize cybersecurity investments, from tax breaks to public bug bounty programs.
In particular, more attention should be paid to the intersection of IoT and the need to secure supply chains. Since IT systems control everything from phones to factories, ensuring these systems are secure is of vital importance to the global economy. Yet this is a daunting proposition given varying sources of insecurity, from malicious 鈥 a 2012 Microsoft聽聽found malware being installed in PCs at factories in China 鈥 to conflicting commercial incentives, such as Lenovo鈥檚 installation of advertising software that weaken security in 2015.聽聽
Fourth, IoT providers should be聽encouraged to undertake聽good governance best practices, which can be accomplished by effective monitoring of IoT peers and an active role for civil society in shaming outliers. The聽聽could be brought to bear to help encourage the dissemination of best practices, such as firms requiring NIST Cybersecurity Framework compliance from their suppliers, along with mandating the ability to do software updates for IoT devices.聽Similarly, an active dialogue between public and private sector supply chain governance is needed.
Fifth, government should be willing to allow industry to react to data breaches without overly broad, harsh or punitive fines, except in egregious circumstances as has begun to be defined in the US context through recent Federal Trade Commission litigation.
More broadly, policymakers can consider a range of policy options to enhance cybersecurity ranging from the manageable (offering grants to establish a nationwide network of cybersecurity clinics geared toward serving under-resourced stakeholders such as local governments and school corporations) to potentially helpful but politically challenging (national data breach notification that includes "reasonable" cybersecurity practices along with product recalls for insecure devices). And other questions loom, such as whether or not the FBI or another agency should be allowed to hack a botnet to stop these sorts of IoT-enabled cyber operations.
Already, the European Union is taking some steps in this direction with the聽, which, among other things, calls for a standard of cybersecurity for all businesses based upon risk management,聽information sharing and breach reporting between EU Member States, and multistakeholder participation in coordinated responses to cyberthreats.
We鈥檝e come a long way since Kevin Ashton first used the expression "Internet of Things" as the title of a聽聽he gave for Proctor & Gamble in 1999. The promise of networked smart devices is finally being realized, but in order to avoid the same litany of cyberattacks and data breaches we've seen in other contexts it's vital to adopt proactive policies that help drive the evolution of effective and secure IoT governance before cyber insecurity becomes replete in the Internet of Everything.
Scott Shackelford is an associate professor at the Indiana University Kelley School of Business where he teaches cybersecurity law and policy. He is the director of the , a Research Fellow at the Harvard Kennedy School鈥檚 Belfer Center for Science and International Affairs, and a senior fellow at the .聽This article was adapted from , which was published by Cyber Magazine.
