A silver lining has emerged in the wake of the massive and well-publicized denial-of-service attack launched less than two months ago by hackers using millions of IoT devices to cripple the websites of major companies like Amazon, Netflix and Twitter. This ambush has triggered a redoubling of efforts to focus on the need for industry-led cybersecurity standards for IoT devices.
Even some in Washington, such as U.S. Senator Mark Warner, favor an industry-based approach before seeking some sort of government IoT security standards implementation. Security-minded business coalitions are stepping up activity in this area— and the more, the merrier.
After all, it isn’t clear in the United States who is supposed to be protecting the Internet. Most IoT (Internet of Things) devices have been hooked up to the Web in recent years with little concern for security, with weak password protection or none at all. There is no formal watchdog — not the government, nor for that matter, anyone else.
Instead, every organization is responsible for defending its own tiny piece of the Internet landscape. Companies and social media hubs are supposed to invest in protecting their websites and often do, but that doesn’t accomplish much if the connections among them are severed, as was the case in the October attack.
There is no way to know for sure if an industry-based IoT unified security approach will work. But it is certainly worth a shot. We know that the highly fluid nature of cyber threats nearly guarantees that government’s traditional approach to regulation (fixed and inflexible) is almost certainly doomed to failure. I believe that the Trump administration must envision and enact a concerted initiative to insure that America is “cyber secure”—but in a broad sense, leaving the specific details to industry players. Industry participants and their suppliers should assume the actual responsibility for stitching together best practices by which to meet government mandates. Ultimately, they are in the best position to combat evolving threats.
The dearth of effective IoT security is no secret. A survey of 220 information security professionals who attended the Black Hat USA conference this year found that 78 percent are concerned about the weaponizaton of IoT devices for use in distributed denial-of-service attacks. Similarly, a survey by Tripwire, a digital security firm, found that only 30 percent of the organizations polled are prepared for security risks associated with IoT devices.
It makes sense for the business community to take the first swipe at resolving the IoT security issue. Some experts suggest some basic security safeguards that manufacturers should provide, such as a unique user name and password for each IoT device. Even more folks are talking about some sort of up-to-date industry “seal of approval” or comparative ratings system regarding the security readiness of IoT devices. The private sector also would do well to try to tap into the expertise of the U.S. intelligence and defense communities, which are rumored to have developed expertise in IoT security.
Separately, collaboration between industry experts and standards groups is already robust. The National Institute of Standards and Technology has a Communications Technology Laboratory examining security in the context of IoT and 5G networks. Other groups, such as the International Standards Organization, Underwriters Laboratory, ATIS, IEEE and the 3rd Generation Partnership Project are collaboratively working on similar issues.
At the same time, at least two industry groups — the Online Trust Alliance and a separate coalition of security firms, including Symantec and ARM Security Systems — have also stepped up to the plate to improve IoT security. The security firm coalition has developed the Open Trust Protocol to provide secure architecture and code management to protect connected devices. The OTP’s architecture uses technologies deployed in banking and for handling sensitive data on smartphones and tablets. It’s designed to work with security software to protect IoT and mobile devices from malicious attacks.
Meanwhile, the Online Trust Alliance, a non-profit with the mission to enhance online trust, has established the OTA Trust IoT Framework as the first global, multi-stakeholder effort to address IoT risks comprehensively. It includes a baseline of 31 measurable principles that device manufacturers and developers should follow to help maximize the security of devices and data collected for smart homes and wearable technologies.
What these consortiums know all too well is that a specific IoT device may not be the actual target of an attack. That device, however, might be highly attractive as a gateway to the network to which it is connected—the real targets being the valuable
