Is Slowing Down Innovation the Key to a More Secure Internet of Things?

September 20, 2018 - 10 minutes read

It may sound counterintuitive, but could cybersecurity for the Internet of Things (IoT) be improved with a slower rate of innovation in the field? With IoT, security compromises don’t just mean a smartphone or computer getting hacked; the interconnected nature of IoT means entire groups of cars, homes, hospitals, and offices could be hacked at the same time.

Unfortunately, security is often the last thing on IoT developers‘ minds — after working on user experience, design, feature development, product releases, and more, developers often have to choose between working on the product’s next iteration or improving security protocols. So, is slowing down this cycle the key to a more secure IoT?

Stronger Connectivity Comes at a Cost

Bruce Schneier, a renowned cybersecurity expert, writes in his new book Click Here to Kill Everybody about government inaction in improving cybersecurity for connected device networks. He wants security to be a bigger priority, not just an afterthought.

According to a report by Gartner, over 11 billion devices will connect to the Internet this year (not including smartphones and computers); this number is only expected to grow as technology advances and 5G starts rolling out.

Schneier’s not just an armchair expert, either. He is a fellow at Harvard’s Berkman Klein Center for Internet and Society gives public policy lectures at the Boston-based college’s Kennedy School. Schneier also works as the chief technology officer at IBM Resilient, a platform that helps enterprises prepare for cybersecurity threats.

A More Tangible Internet

Schneier says his book is titled Click Here to Kill Everybody because the Internet has changed our world directly, and not just metaphorically, but physically too. This means cybersecurity is more important now than ever.

If our cars can be hacked to take us to the wrong destination, our heart monitor compromised to show an incorrect pattern, and our front doors unlocked for strangers, the Internet’s capabilities are not only physical — they’re potentially dangerous.

This physical Internet space also affects cybersecurity; no longer does cybersecurity mean security for computers. The term has expanded to encapsulate entire homes, cars, hospitals, and office buildings.

Embedded Into the Modern Era

Schneier thinks that the term “Internet of Things” is too narrow; it captures devices like thermostats, sensors, appliances, etc., but it doesn’t include the back-end mechanics, maintenance, security protocols, and more.

That term doesn’t even scratch the surface of how close we’ve become to our devices; as Schneier says it, “We’re already intimately tied to devices… Computers aren’t yet widely embedded in our bodies, but they’re deeply embedded in our lives,” leading us down a path where we’re turning into “virtual cyborgs”.

When asked if we could limit our intake of the Internet to mitigate risks, Schneier spoke anecdotally about his experience looking for a new car: “I tried to buy a car that wasn’t connected to the Internet, and I failed. It’s not that there were no cars available like this, but the ones in the range I wanted all came with an Internet connection. Even if it could be turned off, there was no guarantee hackers couldn’t turn it back on remotely.”

The Case for Being Proactive

Schneier says that just because hackers haven’t killed or hurt anyone yet doesn’t mean they won’t do so in the future. Often, non-physical consequences, like loss of data privacy or a stolen social security number, can affect a person for the rest of their life.

Schneier points out more sinister examples: “I’m obviously concerned if someone steals my medical records, but what if they change my blood type in the database? I don’t want someone hacking my car’s Bluetooth connection and listening to my conversations, but I really don’t want them to disable the steering.”

According to Schneier, there is no time for security patches when the Internet is so entwined in our lives; must we wait until someone dies from a vulnerable pacemaker before issuing a security patch? Can we afford to have hacked cars driving around before realizing we need a security patch? Often, companies start beefing up their cybersecurity team after a major attack, but we’re getting to a point where we can’t wait for the first attack to start taking action.

Who Suffers the Consequences?

Russian hackers have been the subject of news stories in the U.S. for two years now. They’ve been known to turn off power at some of Ukraine’s power grids for military purposes before. Nothing’s stopping them from hacking into American grids and dams and doing the same.

This infrastructure is critical to Internet connectivity and daily life for most Americans, and one attack could leave us without water and power for prolonged periods of time.

America’s not entirely innocent, however; in the past, the U.S. has hacked into Iran’s and North Korea’s nuclear programs to create delays. This is a new type of warfare that doesn’t require heavy machinery to accomplish.

But most public utilities are regulated by the government to follow strict security standards. It’s likely the consumer-facing devices that will become an issue; as Schneier puts it, “The market right now doesn’t reward secure software at all here. As long as you, as a company, won’t gain additional market share because of being more secure, you’re not going to spend much time on the issue.”

And in this case, governments do share some of the guilt.

A Double-Edged Sword

Schneier points out that “there’s no industry that’s improved safety or security without governments forcing it to do so. Again and again, companies skimp on security until they are forced to take it seriously. We need government to step up here with … flexible standards, rigid rules, and tough liability laws whose penalties are big enough to seriously hurt a company’s earnings.”

Yes, it will slow down innovation, but what is new technology if it’s vulnerable to a big attack at any moment? Innovating without securing back-up can kill, wound, or badly affect people for life. Schneier states it more elegantly: “… the cost of getting it wrong is too great.”

Governments are notorious double-edged swords; they love exploiting security vulnerabilities to spy on citizens, track behavior, and flag potential terrorists. But we may be giving everyone, not just our own government, a lot more power by not pushing for stricter security standards across the board.

Action Over Talk

Europe’s recently been making big moves with regard to technology regulation and has definitely become the foremost authority as a result. America has a lot of catching up to do.

Schneier predicts there will eventually be “international treaties and norms that put some of our connected infrastructure off-limits to nation-state cyber attacks, at least in peacetime.”

But for now, we desperately need more emphasis on cybersecurity over further innovation. Schneier doesn’t just want the federal government to get involved, though. He is calling for “action at all levels now, from local to international [authorities].”

Keeping technology secure is difficult but always worth it in the long-run. Do you think the U.S. or Europe will take the lead on IoT cybersecurity? What kinds of rules should they put into place? And how could governments possibly convince companies to take cybersecurity seriously without enforcement?

Let us know your thoughts!

Tags: , , , , , , , , , , , , , , , , ,