Regulation is coming to the world of Internet of Things (IoT), according to security expert Bruce Schneier, who used his keynote at Infosec 2017 to warn delegates of the dangers of inaction.
“Regulation is coming for us”, he told the audience, adding:
Governments are going to get involved, regardless. The stakes are too high – the real physical threats from the IoT will force them to act – we’re talking about fear. And nothing incentivises governments to do something stupid like fear. The choice is not between regulation and no regulation, like it used to be. It is between between smart government regulation and stupid government regulation.
And if we don’t want outside regulation imposed on us with little thought behind it, we need to start thinking about this. We are one disaster away from government doing something – we need to ensure it is something that is also smart.
Schneier continued to highlight the dangers of the technologies involved, comparing the current trajectory to building a giant, distributed “world-sized” robot, but without clear oversight, he said.
Back in 2011 Marc Andreessen wrote about ‘Why Software Is Eating The World’ but now what is eating the world is IoT. A lot of this cyber-physical technology has the potential to deepen inequities, widen the digital divide. For example, Wannacry’s ransomware attack in the UK resulted in people being turned away from hospitals – that is an availability attack, not a confidentiality attack. Ransomware attacks against cars and against medical systems are different, and suddenly matter much more than attacks against computers.
The remarks follow a statement in March from Maureen Ohlhausen, the head of the US Federal Trade Commission (FTC) that it would take a “wait and see” approach to regulation, in spite of large-scale DDoS attacks like the one generated by the Mirai botnet in late 2016 that knocked domain name system (DNS) host Dyn offline with an attack of historical volume.
The European Commission, in contrast, has announced plans to improve IoT security via the creation of a certification process for devices, comparable to the European energy-consumption labelling scheme, which was implemented in 1992 and covers white goods and similar products.
4 comments on “InfoSec 2017: ‘One disaster away from governments doing something’ on IoT”
Government regulation is a good thing. Government represents the collective will of the people. We can not always allow corporations to do the right thing when it comes to technology. What we need are open standards and regulations that protect people’s privacy.
Government regulation is only a good thing if/when it is done well. Unfortunately, government has a spectacular record of NOT doing things well. If they don’t get it right, we’ll all suffer for it.
It’s coming, and I can’t wait. The IoT is filled with junk security, and it needs to change.
But, the author is right: there are many really bad ways to implement regulations in this area. So, I have a tip for the lawmakers: Come to this web site and learn some stuff. NakedSecurity (NS) has some excellent articles on the subject, and they have solid, practical solutions. If the IoT vendors refuse to read and apply NS’ stuff, the government should.
* There are most likely other organizations doing what NS does, like other AV vendors. Lawmakers and executive branch staff should consult many sources. But, at least read this one! (And, no, I don’t work for Sophos or NS.)
Thanks for the kind words about Naked Security – we’re lucky to have such great writers working with us!