The rapid proliferation of insecure internet-connected devices and systems is threatening critical healthcare, financial, transportation, energy and other infrastructure, to the extent that government and industry should be working together more closely than ever to mitigate risks.
This was the consensus of opinion among security experts and lawmakers during a House committee hearing last month to discuss the growing number of breaches, hackings, and cybersecurity incidents, the most recent and largest of its kind being the distributed denial of service (DDoS) attack that disrupted the Internet recently. Cyberthreats now loom large over critical sectors, and it’s only a matter of time before catastrophic events happen.
Bruce Schneier, a security scholar and lecturer on public policy at Harvard, testified during the hearing that "the same poor security exists in computers making their way into hospitals, including those used to manage elevators and ventilation systems. It’s not hard to imagine a fatal disaster, which makes it imperative that the government step in to fix this ‘market failure,’” reports Technology Review.
Some experts at the hearing advocated for a single government entity to enforce cybersecurity rules. Currently, several federal agencies are collaborating to address cybersecurity risks within the confines of their mandates.
However, the Trade Subcommittee chairman, U.S. Rep. Michael C. Burgess, M.D. (R-TX), said "Government is never going to have the man power or resources to address all of these challenges as they come up – which is why we need industry to take the lead,” according to a news release.
Even if industry leads the way, Rep. Greg Walden (R-OR), chairman of the Communications and Technology Subcommittee, asked the experts if it is at all possible to introduce unified cybersecurity standards at the expense of innovation.
Dr. Kevin Fu, CEO of Virta Labs and an associate professor in the Department of Electrical Engineering and Computer Science at the University of Michigan, said, “There are ways you can do this effectively without stifling innovation. In fact, I believe a well-designed cybersecurity framework will actually promote innovation…There is no perfect standard but it will be very difficult to build in security if we don’t have these principles set in place. It needs to have buy-in from industry. It needs to have government leadership as well but it’s all about setting those principles.”
At around the same time the House hearing was held, the Department of Homeland Security (DHS) issued a publication outlining strategic principles and security best practices to mitigate cyberthreats – what it calls “a first step to motivate and frame conversations about positive measures for IoT security among IoT developers, manufacturers, service providers, and the users who purchase and deploy the devices, services, and systems.”
Among the department's recommendations are for manufacturers: to build security in at the design phase of making network-connected devices; to practice regular patching, security updates, and vulnerability management strategies; to follow basic software security and cybersecurity practices, and guidelines in the Federal Trade Commission (FTC) Security Guide, as well as the National Institute of Standards and Technology (NIST) Cybersecurity Framework.
One of NIST's latest publications, an implementation guidance for security systems engineering, was also released last month.
It remains to be seen what concrete steps the incoming U.S. administration will take to address cybersecurity. The current climate for manufacturers and companies is to follow industry-specific standards set by multiple government agencies, while continuing to drive the IoT revolution.
“How do we make ourselves more secure without sacrificing the benefits of innovation and technological advances? The knee-jerk reaction might be to regulate the IoT, and while I am not taking that off the table, the question is whether we need a more holistic approach,” said Chairman Walden. “Any sustainable and effective solution will require input from all members of the ecosystem for the so-called ‘Internet of Things.’ We’ll need a concerted effort to improve not only device security, but also coordinate network security and improve the relationships between industry, government, and security researchers. We’re all in this together and will need to take responsibility for securing the Internet of Things.”