Can We Secure the Internet of Things?

As we began 2014, one hot trend that grabbed everyone’s attention was the growing buzz around the Internet of Things. The concept is that virtually every device will have an IP address, including refrigerators, cars, pacemakers and wearable tech.

One goal: instant access to every aspect in our connected homes. For example, you can turn up the heat (or air conditioning) and start cooking the casserole in the oven — while driving home from work.

Looking a bit further out, your robot vacuum cleaner can tidy up the family room while you’re at work. Or imagine doctor’s visits from the comfort of home or clothes that report your blood pressure is too high.

For public-sector CIOs – how about government systems that are smart enough to talk to citizen scheduling assistants (which are really the new personal computers or smartphones). My Memorial Day weekend campground reservation could be made on the first possible day nine months in advance, while my kids are getting ready to go back to school.

Sound awesome? For many in our society, the answer is probably yes. But it also raises the question: How can we possibly secure everything?

Before we address that question, I’d to look back at security lessons from the past two decades. Let me start with a comment I left regarding a PC Magazine article in December:

I’m always amazed at how history keeps repeating itself in the world of computer security. Think back: operating systems, apps, smartphones, cloud computing and more — released with known vulnerabilities.

More than a decade ago, Microsoft (and other leading high-tech companies) declared that security will be job No. 1, and yet industry continues to release new products and “complete” services without adequate security protections.

Why? The rush to market. Because it pays off in the short term. And because consumers like to buy the latest “cool thing” without a second thought. No doubt, doing the right thing is harder and can slow things down — but no one ever uses that argument when considering good brakes in a car.

Here’s a prediction for you: Someone will write “an insightful article” for Wired magazine three years from now about how we should have thought to build security into XYZ hot new device way back when.

Near the beginning of that article, we’ll see words similar to: “We never really thought about security when we first introduced the XYZ product.”

And I’ll say, “Really?”

One silver lining: a vibrant cybersecurity industry for decades to come.

Solutions, Please

Some cybersecurity pragmatists prefer not to talk about the Internet of Things — yet. They’d rather focus on current cyberthreats — from ransomware to spear-phishing scams to denial-of-service attacks to whatever else is hot. They point out that general discussions about cloud or mobile security are too broad to make a real difference.

It may surprise you that I am sympathetic to this argument. Since the bad guys are already way out in front of the good guys today, why discuss the implications of future technologies? Pragmatists go further by saying that we will never fully secure the Internet of Things, because we can’t even secure the current Internet.

But we can secure individual computer systems and applications connected to the Internet. You can secure your corner of cyberspace. Another answer is for all consumer electronics companies to get specific with protections as they roll out new products and services. We can learn from the brief history of cyberspace.

What does this look like? Researchers who are building the smart grid are thinking through the supply chain and the manufacturing sources of components. Network providers build in access controls and enterprise security that is smarter and easier to use for families.

And government IT leaders must build security provisions and cyberprotections into current and new contracts. From relationships with banks to the purchase of utility services, public-sector business leaders can make a difference. The best way to influence the privacy of today’s citizen data and the future Internet of Things is by strengthening the legal requirements in the current procurement process.

Final thought: Abraham Lincoln once said, “You cannot escape the responsibility of tomorrow by evading it today.”

Daniel J. Lohrmann is the Chief Strategist at Security Mentor. He is an internationally recognized cybersecurity leader, technologist, and author. During his distinguished career, Dan has served global organizations in the public and private sectors in a variety of executive leadership capacities, including enterprise-wide Chief Security Officer (CSO), Chief Technology Officer (CTO) and Chief Information Security Officer (CISO) roles in Michigan. For more of Daniel’s writing, click here.