Why legislation alone won’t solve the insecurity of the Internet of Things

cybersecurity

Few people would argue that cybersecurity is in a parlous state. In the last few weeks, we’ve seen a connected car wash and fish tank hacked respectively and a smart gun unlocked and fired thanks to a magnet at the latest DefCon.

In response to the problem, a bipartisan group of U.S. senators has put forward new legislation to address the security problems of the Internet of Things. The new bill, introduced on Tuesday, would require vendors that provide connected equipment to the U.S. government ensure products are patchable and meet industry security standards, according to Reuters.

The Internet of Things (IoT) Cybersecurity Improvement Act of 2017 is backed by the co-chairs of the Senate Cybersecurity Caucus — Democrat Mark R. Warner and Republican Cory Gardner, as well as Democrat Senator Ron Wyden and Republican Senator Steve Daine.

“My hope is that this legislation will remedy the obvious market failure that has occurred and encourage device manufacturers to compete on the security of their products,” Warner said.

See also: New study shows just a few driverless cars will ease traffic

The new bill would require a contractor providing an Internet-connected device to certify that it does not contain “any hardware, software, or firmware component with any known security vulnerabilities or defects” listed by the US National Institute of Standards and Technology’s National Vulnerability Data. Devices would have to be certified to be capable of “accepting properly authenticated and trusted updates from the vendor” and use “only non-depreciated industry-standard protocols and technologies” for functions such as network communications and encryption. Further, a contractor must certify that the device  “does not include any fixed or hard-coded credentials used for remote administration, the delivery of updates or, communication.”

Devices would have to be certified to be capable of “accepting properly authenticated and trusted updates from the vendor” and use “only non-depreciated industry-standard protocols and technologies” for functions such as network communications and encryption. Further, a contractor must certify that the device  “does not include any fixed or hard-coded credentials used for remote administration, the delivery of updates or, communication.”

The Insecurity of Things: A brief history

Security and Privacy in Your Car (SPY Car) Act

Current efforts are not the first attempt at legislation to address the security problems of IoT. In 2015 and again in March this year,  Senator Ed Markey introduced the Security and Privacy in Your Car (SPY Car) Act, legislation that would direct NHTSA and the Federal Trade Commission to establish federal standards to secure our cars and protect drivers’ privacy. The SPY Car Act also establishes a rating system — or “cyber dashboard”— that informs consumers about how well the vehicle protects drivers’ security and privacy beyond those minimum standards. It further requires that every vehicle give “clear and conspicuous notice” to the driver about what driving data is being collected, if it’s being transmitted or saved, and how it’s being used.

FTC case against TrendNET

m005807065_sc7

The Federal Trade Commission (FTC) released a report into IoT privacy and security in early 2015  which detailed the issues and issues a series of recommendations for companies developing IoT devices. These included the recommendation “that vendors monitor connected devices throughout their expected life cycle, and where feasible, provide security patches to cover known risks.”

Several of these principles alluded in the FTC report are illustrated by the Commission’s first case involving an Internet-connected device. The FTC filed a complaint against security camera maker TrendNet for allegedly misrepresenting its software as “secure.” In its complaint, the Commission alleged, among other things, that the company transmitted user login credentials in clear text over the Internet, stored login credentials in clear text on users’ mobile devices, and failed to test consumers’ privacy settings to ensure that video feeds marked as “private” would, in fact, e private.

As a result of these alleged failures, hackers were able to access live feeds from consumers’ security cameras and conduct “unauthorized surveillance of infants sleeping in their cribs, young children playing, and adults engaging in typical daily activities.The complaint came after hackers breached TrendNet’s web site and accessed videos from 700 users’ live-camera feeds — many of these videos were published on the Internet.

The case was settled with stipulations including requiring the company to obtain third-party assessments of its security programs every two years for the next 20 years. TrendNet were also required to notify customers about the security issues with the cameras and the availability of the software update to correct them, and to provide customers with free technical support for the next two years to assist them in updating or uninstalling their cameras.

Is legislation, education or self-regulation the answer?

Since then there has of course been a change of government and administration. Earlier this year the current head of FTC told The Guardian that the agency is “not primarily a regulator” and called for a wait-and-see approach to enforcement during a discussion at a conference of cyber security professionals Nasdaq.

For the last couple of years, a working group convened by the U.S. Commerce Department’s National Telecommunications and Information Administration (NTIA) has been developing guidance about ways for IoT device manufacturers to better inform consumers about security updates related to the devices. This is a key part of any IoT security protocols, particularly in regard to insecure devices already on the market.  Further, what may be secure at present may further degrade without vigilance from customers.

How attentive are consumers willing to be? What about products purchases internationally? We’re currently in an era where a household may contain over 200 connected devices, each with their own specific security requirements. It’s not any better in enterprise, according to research earlier this year, almost half of all companies in the US using an IoT network have been the victims of recent security breaches,

We’re currently in an era where a household may contain over 200 connected devices, each with their own specific security requirements and varied life cycle. Even just cataloging all the connected devices in a single workplace could be a mammoth undertaking. Personally, I’m unconvinced a security minimum standards or rating system would work either, due to the sheer volume of connected devices emerging each year and the volatility of cyber security to new vulnerabilities. Will the current efforts of the Senate Cybersecurity Caucus lead to a trickle down effect to consumer law? How long would it take and how would it be enforced? Technology moves fast and it’s questionable the law can keep up.

The post Why legislation alone won’t solve the insecurity of the Internet of Things appeared first on ReadWrite.

ReadWrite

Digital Transformation: Software Alone Isn’t Enough

Digital business models are incredibly disruptive. Since technology innovations are built on top of each other, new business models are beginning to blur traditional industry boundaries. Software and solutions that once ran on your desktop computer are now part of a ubiquitous mobile user experience, embedded in everything from cars and household goods to farming equipment.

Without question, the digital economy is growing at an exponential rate. For example, by 2018, analyst IDC expects that devices enabling the Internet of Things will produce more than 400 trillion GBs of data per year. Industry experts from Cisco also believe that every human on Earth will possess an average of 26 smart objects by 2020. And the pace of such change will only accelerate.

With software used in every aspect of their lives, customers have come to expect an intuitive, seamless experience at all times. Meanwhile, as the sharing economy grows, the overall consumption model is changing from ownership of goods to the engagement and use of services. Not only is this trend creating a new era of “everything as a service,” but it’s also profoundly transforming how we work and live.

Find your direction for the journey

None of this is surprising to business and IT leaders, of course. Most already know that their company requires digital transformation to succeed in the new digital economy. They want to reduce process complexity and simplify technology. They seek end-to-end outcomes that can be delivered through their business systems. And amidst rapid technology change, they require quick results that can be measured against their original investment in IT solutions.

Many companies, however, are challenged with developing a roadmap to navigate the digital transformation journey. For example, a beverage manufacturer in the Asia-Pacific region recently approached my team to replace existing desktops and servers with tablet devices for its entire workforce. The executive team wanted to mobilize the workforce, but there was concern about whether the company was properly prepared for the next wave of technology change.

Whenever we speak to customers and prospects about digital transformation, it’s not uncommon to hear questions such as these:

  • How can I remove technology as an obstacle to progress and ensure that my core business is not restricted by technical limitations?
  • How can I get my workforce excited and performing optimally in a hyperconnected world?
  • How can I make sure my end-to-end supply chain – from my partners’ partners to my customers’ customers – are connected, so we can transact faster and share data in real time?
  • How can we build digital front-end processes and channels that give existing customers a better experience and attract new customers?
  • How can we best connect all of our valuable assets of the business – from machinery and equipment to people and services – to the Internet of Everything?

That’s where digital business services can help. In addition to assisting them in achieving their digital enterprise vision, our experts can enable customers to migrate certain portions of their business to the cloud while creating a digital core that supports innovation.

Accelerate success with expert services and proactive support

The future of support in a digital world is fundamentally proactive. Unlike traditional enterprise support, our services deliver exciting new technologies such as cognitive computing for incident management, live user chats with support reps, and the ability to schedule online sessions with experts.

Different organizations require distinct types of engagement – anything from simple solution safeguarding to complex innovation and optimization support. For example, next-generation services help companies adopt software or innovate in a safe, secure, and rapid manner. Plus, continuous support services for digital enterprises help ensure that business technology remains live. To learn more about these approaches, watch the on-demand replay of the SAP Digital Business Services Webcast “The Future of Support in an Era of Cloud and IoT,” featuring IDC and my support colleagues from SAP.

Our customers have opportunities to work with us and provide direct feedback into software and solution development. They can also shape their transformation road map, incorporating both industry-specific processes and technology in the mix. In the end, our customers benefit from rapid change, which is increasingly important to a company’s competitive advantage.

Achieve business outcomes

The outcomes of a well-executed transformation initiative can provide a significant competitive advantage. Here are a few examples:

  • Memebox, a South Korean online beauty products company, experienced a 100% increase in profits and a 50% reduction in its closing period by implementing in-memory-computing software. Using digital business services, the company deployed the solution in just five months.
  • CATL, the world’s third-largest manufacturer of lithium-ion batteries, built a next-generation smart manufacturing platform. Now decisions are based on real-time production intelligence, and the company realized a 25 percent increase in its average production volume for each line.
  • A major retail company implemented more than 25 digital scenarios to support a growing assemble-to-order business. Thanks to digital transformation guidance from digital business services, the company expects to accelerate its expansion plans and grow total sales and market share.

Reach out for expertise on your journey

When combined with digital business services, technology and innovation can become the lifeblood of a company’s digital transformation – and the source of real competitive advantage. Simply buying software is not enough to guarantee meaningful change that will let you keep pace with the evolving digital economy. With decades of industry knowledge and a team of service professionals with deep expertise, SAP is ready to guide you through your digital transformation journey and deliver optimal outcomes.

To get started, read our white paper Making Digital Transformation Possible with SAP Digital Business Services. See how the digital economy is having a profound impact on SAP customers, discover what our customers expect from us, and learn more about our expertise in orchestrating digital transformation.

 


Internet of Things – Digitalist Magazine