October 18, 2016
Securing the Internet of Things
By Rachel Ansley
The system of interrelating, connected computing devices with the ability to transfer data, known as the Internet of Things (IoT), “is not a trend, it’s a full-blown phenomenon,” said Robert Silvers, assistant secretary for cyber policy at the Department of Homeland Security (DHS).
The pervasiveness of IoT, from medical devices to driverless vehicles, has led to “a national dependency,” according to Silvers. Our reliance on connected devices means that “IoT security is not a public safety issue; it’s now a homeland security issue,” he added.
Silvers joined Suzanne Schwartz, associate director for science and strategic partnerships at the Food and Drug Administration (FDA), and Joshua Corman, director of the Cyber Statecraft Initiative at the Atlantic Council, to discuss the need to address IoT vulnerabilities and bulk up policy for developing cyber defense capabilities. The panel focused on “the tremendous promise and the increasing perils these devices have exposed us to,” said Beau Woods, the deputy director of the Council’s Cyber Statecraft Initiative.
The need for industry and civil society leaders to address potential security threats posed by connected devices becomes more pressing in the wake of hackers interfering in the US presidential election and the discovery of cybersecurity vulnerabilities in medical devices.
Insecure IoT devices leave societies vulnerable to nefarious actors, providing yet another way that the public can be targeted. Consequently, “if we’re cavalier about it, we’re going to have very painful consequences,” said Corman.
In his opening remarks Silvers said policymakers need to consider the best approach to incentivize adequate security measures. He said in the current system, IoT devices are pushed to market without security measures appropriately accounted for, because security failure is not adequately considered. “We need to make sure this architecture that we’re building is built on a secure and trustworthy foundation,” he said.
Silvers said that in the coming months, DHS will issue a set of strategic principles for IoT security, providing information about security risks and recommending approved approaches to address them. Not meant to be a regulatory document, it is intended to serve as a reference for executive leaders to help them understand and account for security measures.
Emphasizing the need for strategic foresight in addressing the cyber threat, Silvers issued a general call to action claiming that those in a position to influence security measures must do so quickly. “IoT security is hard…but the fact that it’s hard can’t be the deterrent. The hard challenges are not going to get easier with time, they’re going to get harder, so we need to mobilize our efforts,” he said.
According to Schwartz, “these types of advances hold extraordinary promise…yet by its nature these very same features also, as a result, bring into the picture new risks.” Cybersecurity is now part of the FDA’s quality security regulation.
Vulnerabilities, either persisting or emerging, will always exist, said Schwartz. She said this defining feature of the field necessitates a shift in mindset and greater involvement by all stakeholders. “This has to be a space of shared responsibility,” she said. Regulation of cybersecurity cannot remain at the federal level or purely within the industry, it requires “a mobilization of all of the parties that are involved that would need to be well-prepared as far as understanding how to deal with a concern.”
When it comes to identifying security vulnerabilities, particularly in connected medical devices, and identifying those which pose a threat to the well-being of the patient, Schwartz said policymakers must be proactive, not reactive. “We don’t want to find ourselves in a situation where patients are actually hurt, and that’s what causes a reaction,” she said. She added, “security must be addressed in a timely manner before patients are hurt.”
Corman said, “After a high-consequence failure, you will see more action from Congress out of necessity. I would like to see something more proactive.”
Schwartz said government’s role lies in encouraging not only preemptive action, but also continuous assessment by stakeholders at all levels. “We need to be much more vigilant in continuous quality improvement,” she said.
Corman added the need for a more de-regulatory posture from the federal government. While “there has to be a role for lawmakers,” Corman claimed bureaucracy might hinder the necessary prompt corrective action. However, the public expects safety standards. According to Corman, if the government fails to meet that expectation, there will be not only a crisis of confidence, but also a loss of life and potential negative impact on the gross domestic product (GDP).
“Where bits and bytes meet flesh and blood…we need to take a more active and aggressive posture,” he said.
Corman collaborated on a 5 Star Automotive Cyber Safety Framework which, focusing on connected automobiles, takes as a given that all systems fail, and offers recommendations to “make sure that when those moments come, we are prepared for them,” he said. He claimed that the timescales for research, development, and response—due to the nature of IoT devices—are much longer, therefore, it is increasingly important to plan ahead.
Despite the risks associated with connected devices, Schwartz said, “in parallel with recognizing absolutely that the security aspects need to be dealt with…we also cannot dismiss that these devices, were they not there, many patients may not be alive today.”
According to Corman, “the difficulty of a thing is independent of the necessity of a thing.” He asserted that policymakers must put in the work now to be better prepared for failure in the future. “Let’s tackle the really hard problems before we wish we had started earlier,” he said.
Rachel Ansley is an editorial assistant at the Atlantic Council.