Cyber Experts See IoT Vulnerabilities, Liabilities Rising with Devices in Use

Experts on cybersecurity policy today warned that vulnerabilities and liabilities will only grow as the number of connected IoT (Internet of things) devices expands. In opening remarks at the Capitol Hill event organized by the Telecommunications Industry Association, Rep. Bob Latta (R., Ohio), chairman of the House Energy and Commerce Committee’s digital commerce and consumer protection subcommittee, said lawmakers needed to “look ahead” as technology and markets changed, and that “we need soft-touch regulation so we don’t hamper anyone in industry.”  He noted that “by 2025 we’re looking at 25 to 50 billion connected devices around the globe.”

Denise Zheng, director and senior fellow in the Technology Policy Program at the Center for Strategic and International Studies, said that the “IoT-relevant parts” of a recent CSIS report on cybersecurity (TR Daily, Jan. 5) focused on vulnerability research and “bug-bounty” programs.

“We think we’re just seeing the tip of the iceberg in terms of vulnerabilities, incidents, [and] lawsuits” related to IoT security, she said.

“We thought as a group that there should be more attention to investigating and modeling” cyber incidents, modeled after the National Transportation Safety Boards’ investigation of accidents, with the proviso that the information not be used in legal proceedings, and perhaps with some limited liability protection, Ms. Zheng said.

Kiersten Todt, president and managing partner of Liberty Group Ventures LLC, who was the executive director of the Presidential Commission on Enhancing National Cybersecurity, said that when the commission members “began talking about IoT there was a lot of focus on security for life-affecting devices like cars and pacemakers; then Mirai happened,” she added, referring to a distributed denial of service attack launched last fall using IoT devices as bots, and commission members realized that if a life-affecting device “touches” a non-life-affecting device, security that only focuses on the former is ineffective.

Eric Wenger, director–cybersecurity and privacy policy at Cisco Systems, said that the average IT professional sees about 5,000 alerts daily and that “when you talk about managed devices, once you get beyond about 200 managed devices per IT professional,” the situation becomes unmanageable.  As the number of devices “scale up … in theory you would have to hire a lot more IT professionals,” he said, but that isn’t realistic, so “you have to figure out a way to make this manageable by humans.”

James Simister, director–professional services at Panasonic Software and Analytics Solutions, emphasized the importance of consumer education about device security.

However, Ms. Todt said that while “in the short term, consumers need to be educated,” in the longer term, “we need to move security away from the end-user,” so that security doesn’t depend on consumers’ actions.

Mr. Wenger suggested that eligible IoT devices could carry a label similar to those issued by UL (formerly Underwriters Laboratories), attesting to physical safety, but in the IoT case, the mark would indicate that risks were assessed and would be managed throughout the device life cycle. —Lynn Stanton, lynn.stanton@wolterskluwer.com

Courtesy TRDaily