The optimistic case for IoT security standards

cartoon7109

With the second major IoT-based DDoS attack having passed through the news cycle, everyone wants to know what can be done to stop future attacks. With the quantity of internet-enabled devices increasing at an accelerated rate for the foreseeable future, we know the answer to that question has to be answered immediately.

Large US tech companies and the US Department of Commerce are meeting about this now.  Is this a good sign?

The conspiracy-theorists say it’s a bad sign. It is historically true, after all, that large internet businesses attempt to control the flow of online communications (Microsoft with IE, Google with their search results and Chrome, Facebook with their algorithms and the corn-maze you have to go through before leaving the site, Amazon with commerce, Apple with in-app purchases). It’s also true that government agencies want control, or at least unfettered visibility, into anything and everything they can get their hands on. So if this conspiracy were real, one of the things you’d expect to see is those organizations banding together “for the good of the people.” And that’s what they’re doing.

On the other hand, this could be a good sign. Taking for a moment a position of pure self-interest on the part of large internet businesses, is it good that foreign nations can disable the Internet at-will? No, because it disrupts your business, whether it’s Google, Twitter, and Facebook charging for ads, Netflix charging to watch movies, or Amazon and Apple charging for commerce. From the same assumption of self-interest, is it in the US government’s interest that foreign nations can disable the US Internet at-will? No, it undermines US sovereignty and ability to operate, similar to blocking all interstate highways. So if these disparate organizations happen to agree on this issue, what would be the logical step? To meet together to cooperate on this issue of mutual importance. And that’s what they’re doing.

To me, this doesn’t prove either theory correct, but it does demonstrate that we’re not forced to conclude there is something nefarious brewing. We should be wary of that possibility, but it’s not a foregone conclusion.

cartoon1505

Indeed, there are many international internet standards which are not controlled by any large company, nor the US government.  Examples: SMTP (the protocol used by email), HTTP (the protocol used by web browsers), TLS (the protocol that wraps both SMTP and HTTP in a shroud of secure privacy), and DNS (the protocol attacked in this latest event, but which was difficult to stop precisely because no one company or government controls it).

Furthermore, there already are international standards bodies governing other aspects of these same devices that were abused for nefarious purpose. All of those devices were certified by UL and CE for example, which ensure that devices don’t emit harmful or interfering electromagnetic radiation, and that you can’t cause a fire by poking a wire into the device even by accident.

So we have precedent that IoT devices can be regulated, and that internet protocols can be standardized, with mechanisms that are open, transparent, and international, without a single company or nation in control. These are the components needed to enforce default-secure behavior for IoT devices.

It won’t be easy. The details of regulation will be tricky to agree upon. There will continue to be legacy devices that we need a policy about. (Some have already been recalled.) New attacks will be discovered, which requires regulation to change quickly to keep up, and one thing regulation is certainly not good at, is “changing quickly.”

And, the conspiracy-theorists are correct, that all things being equal, large organizations in both public and private sectors will attempt to gain control in any way possible, and we must not allow the clear and present danger of DDoS attack to scare us into giving them undue power.

But we should hold an optimistic view, that control-hungry organizations represent a design-constraint for a solution, rather than an impossible obstacle preventing any solution.

  • pjauregui

    Great writeup Jason, on a very important topic!

    The solution to IoT Security issues must come out of a partnership between the various IoT players up and down the stack–from chip-to-cloud. There are a lot of constituents at play, from hardware manufacturers, developers, product teams, cloud providers, services providers, and yes… even IoT consumers.

    In full disclosure, I work for an Austin-based security assessment provider focused on the IoT (https://www.praetorian.com). We are positioned in a place where we engage with all IoT constituents directly, providing end-to-end IoT penetration testing–from chip-to-code–for Fortune 500 to venture-backed startups. This conversation isn’t just isolated to events in the media, we’re hearing the same thing from everyone involved on the inside, “we need a set of security test verification standards that is grounded in actionable engineering practice, not policy, that is recognized by IoT products and consumers of connected product solutions.”

    There also has to be a unified partnership across the complete IoT vender landscape, such as the one Microsoft just announced with our company this morning:

    https://blogs.microsoft.com/iot/2016/10/26/introducing-the-security-program-for-azure-iot/

    http://venturebeat.com/2016/10/26/microsoft-launches-azure-iot-security-program-certified-device-catalog/

    Microsoft recognizes Praetorian as a “best-in-class” Internet of Things (IoT) global auditing partner and a founding member of its new Security Program for Azure IoT. There aren’t a lot of companies who can provide end-to-end assessment coverage for the IoT right now. It’s a blue ocean in IoT, and more specifically IoT Security, but that will change.

    At the end of the day, security is more an economic challenge than a technical challenge. Security spending (on assessments and beyond) will increase as viable IoT business models and value creation opportunities solidify across every industry.

    It’s early, but I’m optimistic as well.

    Innovation is exploding as the next wave of technological progress transforms our world into an increasingly smart and connected cyber-physical place, where billions of new devices and sensors will be made even smarter by intelligence in the cloud. We’re excited to be working with new partners and customers who see security as an enabler of next wave innovation and a requisite for new technologies to meet their full market potential.

    Your article is very timely. Thank you.

    Paul Jauregui
    http://www.linkedin.com/in/myover

  • http://www.zengda.xin/ 增达任务网

    相当不错,自愧不如!

  • http://www.001314.org/?ic=327991 一生一世套图

    三天不来手痒痒!

  • http://www.hxjz.xin/ 华夏九州套图

    我只是来随便看看!

  • http://www.zengda.xin/ 广告任务网

    很不错的样子⊙0⊙

  • http://www.111314.org/?ic=vip 一生一世套图

    没玩过博客,来看看了!

  • Borys

    Thank you for your article! Very useful for people in IT. If you want working in It company, you can read how to choose their and how question you may ask. Contacting a referee is the toughest advice in this article. You may find that the person is a misanthrope, hates human beings and won’t speak http://djangostars.com/blog/how-to-choose-a-development-company-for-your-web-project-the-overview/

  • http://www.zengda.xin/?ic=cxb328 增达网

    你的博客就像冬天里的一把火!