October 19, 2016–Participants at a multistakeholder meeting hosted today by the National Telecommunications and Information Administration in Austin, Texas, to discuss Internet of things security patching and upgrades highlighted the pressing need to address security improvements to IoT devices and systems as the technology matures and proliferates into consumer markets, along with conflicts in the economic drivers of IoT technologies that may make it difficult to achieve top-notch security.
Olaf Kolkman, chief Internet technology officer at the Internet Society, told meeting attendees that “the security of the Internet of things is the topic of urgency, a topic that is [held] by many to be of importance, but also a topic that is incredibly hard to address because the incentives to deploy security, the benefits and the costs are mostly externalized.”
“It is not quite clear who needs to do what in this context and what are the benefits for people to take action,” he said, adding that he was speaking “in terms of responsibility towards the overall Internet. That’s where we come from at the Internet Society, looking at the impact of these things on the general environment of the Internet.” Mr. Kolkman suggested that the IoT sector seek out “some standardized way to do authorized and authenticated software updates,” saying that such a result would be “an improvement to having the situation that we have now. Now we have no standardized way to do this. What the scope is of that standardization activity is not quite clear.”
He said that sharing of work regarding security updating practices that might be “applicable for your organization or your environment in the industry or your particular vertical is very useful in another.”
Lorie Wigle, general manager-IoT security solutions at Intel Security, told attendees that “from a security research perspective . . . I think everyone here understands there’s a really big problem” with IoT security. Among the problems, she noted, are incidents of hackers enlisting “stupidly vulnerable” IoT devices to make up parts of botnets, and poor IoT security leading to increased ransomware attacks.
“We see on the horizon a big shift in that and in particular our belief in what we have started to prove out in the labs is that ransomware will end up playing a really big role with these vulnerable devices and that will have a very direct impact on the consumer,” Ms. Wigle said. Devices that could be vulnerable to such attacks, she said, may range from automobiles to coffee makers. She said that Intel Security has settled on “a really central core set of hardware security features that should be in every processor for an IoT device” and was willing to share it. “We’re not holding this close and think everyone should be doing this,” she said.
Jeff Wilbur, vice president-research at the Online Trust Alliance, noted published survey results indicating that consumers were wary of IoT-enabled devices because of security concerns, and said some of those concerns included whether makers of major appliances would conduct security upgrades of the equipment over product life cycles that may run as long as 20 years.
Beau Woods, deputy director of the Atlantic Council’s Cyber Statecraft Initiative, warned that unless industry acts on its own to reach effective consensus on improving IoT security, then the chances of congressional action increase, but that if the industry can tamp down the motivation for legislation by improving security on its own, “that puts you in the driver’s seat as manufacturers.”
“We think the record shows that multi-stakeholder processes can be an effective way to address emerging technological issues while allowing for more speed and flexibility when compared to a typical regulatory or legislative response,” said Angela Simpson, deputy assistant secretary at NTIA, who spoke at the beginning of today’s event. This approach has played a major role in the design and operation of the Internet and other new technologies and we think the issue of IoT security upgradability impenetrability is urgent, complex, and a really good fit to be addressed by a multi-stakeholder approach,” she said.
“As with our other processes, it will be up to stakeholders to determine the outcome they want and when they have reached consensus on it,” Ms. Simpson said. “NTIA is going to act as a neutral convener but to be clear we are not regulators and we are not developing rules or bringing enforcement actions and we will not tell you what to do. She said NTIA is most interested in two “potential products” from the multistakeholder effort – “a broadly shared definition or a set of definitions around security upgradability for consumer IoT,” and “a strategy or strategies for communicating the security features of IoT devices to consumers.”
“What we’re really looking for is transparency in the security practices for consumer devices that are increasingly touching every aspect of our lives, our homes, our families, and for stakeholders to chart the path forward,” she said.
“We acknowledge that we see IoT here today and so many connected devices already in play,” said Evelyn Remaley, deputy associate administrator for NTIA’s Office of Policy Analysis and Development, who also spoke at today’s meeting. “It’s here, and the issue of security is a very big and important question related to these emerging technologies. NTIA is so invested and interested in furthering the innovation in this area and continuing the economic aspects. We see the security piece being something that can’t be left behind.” In explaining how IoT customers might evaluate the security of various products, Ms. Remaley said that “one potential vision that has been raised by stakeholders in our conversations has been that there could be several classes or levels of upgradability out there which might amount to different technical capabilities.”
She continued, “Each could correspond to a consumer friendly term or label that could be used to communicate simply and directly with purchasers and consumers. Behind these terms and labels could be a set of principles or specifications to help developers, manufacturers, integrators, and other key players deliver products that offer specific security upgradability capabilities. But what these features are and what we do here is entirely up to you. We’re looking for you to drive what is important and what you think consumers are looking for.” – John Curran, firstname.lastname@example.org