Securing the internet of things will be no easy task

Securing the internet of things will be no easy task
© iStock

Never before has the potential market for modern life been so exciting, driven by the advent of the technology comprising the internet of things. IoT devices are already everywhere and could soon permeate every aspect of everyday life.

Imagine: upon waking up, your voice-controlled assistant dials up the lights to a modest glow so your eyes can adjust and sets the thermostat to a cozy temperature. Your refrigerator greets you with a reminder that you’re almost out of milk — but not to worry, it’s already ordered you more from your grocery delivery service. Rushing out the door, you’re halfway to work in your self-driving car before you realize you forgot to turn on your home security system. No sweat — with the touch of a button, it’s activated, and you can focus on the day.

This hypothetical morning commute is a microcosm of the potential the IoT market can unleash for our economy and society. Connected devices can improve our effectiveness in environmental functions like water filtration and energy efficiency. They can enable smart-city initiatives and transform healthcare. Devices can most especially invigorate our educational institutions and learning environments, preparing our brightest young minds for a fully maximized career in the workforce of the future.

ADVERTISEMENT
The IoT represents a frontier ripe with opportunity for creating American jobs, boosting American manufacturing and establishing global leadership. Yet for all the limitless potential positive impacts IoT may yet have on our world, there are also intelligent but malevolent actors who imagine leveraging its potential darker side. Their very real existence highlights the critical need for effective cybersecurity.

 

Some consider IoT proliferation to be “the next Industrial Revolution.” A recent Business Insider report estimates that by 2021, there will be 22.5 billion connected IoT devices — up from 6.6 billion in 2016 — with the IoT sector seeing an expected $4.8 trillion in aggregate investment in that time.

That’s an incredible marketplace for consumers and investors, but as with any new market, there is a risk that consumers may not flock to an innovation if they have concerns about its safety. A movie-like scenario of compromised fleets of autonomous vehicles wreaking havoc on America’s roads may be the stuff of Hollywood imagination, but certainly, the risk of malevolent actors trying to cause actual harm is there. 

This does not have to be, however, and the IoT discussion should not be a “gloom and doom” discussion. Yes, there are risks, but they are risks that can be significantly mitigated by the application of proper cyber hygiene. It’s comparable, of course, to the kind of cyberattacks that already occur. A major, sweeping breach happened this summer in the credit space. They’ll undoubtedly happen again, but they don’t have to be commonplace.

2017 Gartner report boldly claims that “IoT security as a distinctive market is dead” due to the pace of innovation in this sector. We cannot take a patchwork approach to IoT security after devices are introduced to market; securing IoT devices before they can be used as entry points or vectors to attack other parts of cyber infrastructure is paramount to overall strong cybersecurity. The major wave of ransomware attacks this summer that wreaked havoc in the industrial, healthcare and logistics sectors were enabled in part by vulnerable devices that were not built securely or with patching in mind.

As I testified before House Oversight’s IT subcommittee in early October, many recent, major breaches could have been eliminated or dramatically reduced if some fundamental principles of cyber hygiene had been followed, including constant patching, least privileged, encryption, micro-segmentation and multi-factor authentication. It makes sense for NIST, Congress and relevant federal agencies to cooperate with industry stakeholders to develop basic rules of the road for IoT security. This is equally important when federal agencies purchase IoT devices.

Sens. Mark WarnerMark Robert WarnerMulvaney aims to cement CFPB legacy by ensuring successor's confirmation Virginia Dems want answers on alleged detention center abuse Wray defends FBI after 'sobering' watchdog report MORE (D-Va.) and Cory GardnerCory Scott GardnerSenate moving ahead with border bill, despite Trump 13 GOP senators ask administration to pause separation of immigrant families Sessions floats federal law that would protect states that decriminalize marijuana MORE (R-Colo.) recently introduced the Internet of Things Cybersecurity Improvement Act, provides a thoughtful framework, modeled after the industry-recognized NIST framework. Their proposal focuses narrowly and appropriately on the procurement process by the federal government of IoT technology. It is a good starting point in specifically promoting a secure federal IoT ecosystem that includes provisions to build vulnerability patching capabilities into IoT devices from the outset, institute micro-segmentation and multi-factor authentication protocols for greater security and require gateways for IoT devices lacking a minimum level of security.

The internet of things will have a significant, positive impact on American innovation, American jobs and American lives. New products are coming online literally daily, and behind them countless, brilliant daydreamers are imaging, sketching and wiring the next generation of even better devices.

The market potential is outstanding. Promoting good cyber hygiene will go a long way toward creating the individual, business and government consumer confidence necessary to make certain that potential is met.

Ray O’Farrell (@Ray_oFarrell) is the CTO of VMware, a company that provides cloud computing and platform virtualization services.