As technology increases, so do the risks
The internet of things (IoT) has yielded both benefits and risks to consumers everywhere, with the British Government now looking to adopt security standards to protect individuals and prevent cyber-attacks on infrastructure.
But as connected devices continue to proliferate – with 15 smart items expected in every household by 2020 – how to drive adoption of a common code of practice appears more of a challenge than securing the technology itself.
It was an issue discussed during a panel on IoT security during the NCSC Cyber UK conference in Manchester this week.
“Consumers gonna consume,” said Katie Moussouris, founder of Luta Security and a prominent figure in the IT scene for her work with bug bounty programs and ethical hacking.
“People are going to do what they do and apply their toolset to whatever problem they have,” she said.
“A lot of well-intentioned regulators make mistakes because they lack the understanding of scope and scale.”
Moussouris was joined by James Martin of the British Retail Consortium, alongside representatives from both the NCSC and Department for Digital, Culture, Media & Sport (DCMS).
Earlier this year DCMS released a report as part of the UK’s National Cyber Security strategy, aimed at creating new measures for manufacturing and purchasing smart devices.
The report, titled Secure by Design: Improving the Cyber Security of Consumer Internet of Things, focused on the use of IoT devices in the home – a problem that the DCMS believes is essential to tackle as ownership of smart technology increases, while security awareness lags further and further behind.
In 2017, for instance, over one billion consumers were hacked around the world, with the Department of Homeland Security’s Office of Cyber and Infrastructure Analysis (OCIA) reiterating how IoT devices were creating a ‘new pathway’ for malicious actors to strike.
“We need to make sure that we’re creating the market demand for more secure products,” said Emma Green of the DCMS, presenting the findings.
“And part of that is better articulating to those that buy these products and making sure that they understand how to make the choice between one or the other.”
Some of the recommendations following the DCMS industry-led review include no default passwords, keeping software updated, and having a vulnerability disclosure policy.
Organizations should implement these, the report found, as a first step toward eliminating poor security practice, from the manufacturer, all the way to the end-user.
Green said: “It’s all very well to have these guidelines, but the key question is how to shift behaviors across the market?”
One of the first steps is to make sure that the recommendations can be applicable to everyone, Green said, and that education – not necessarily regulation – was the way forward without causing harm to innovation.
Incentivizing behaviour, however, is even more of a challenge.
“The damage does not always align with the person who would have to make the efforts to make the device secure,” said Martin.
“There is a large stream of harm to the individual who owns the device and we have to make them understand that, but a lot of the risk is to the infrastructure where a lot of these IoT devices can multiply.
“That’s quite a big thing to get across in order to shift behaviour.”
A botnet that was discovered in January, The Daily Swig reported, is just one example of how IoT devices can be exploited easily and in a “significantly improved form.”
The DCMS said it would publish a revised code of practice later in the spring, accepting any recommendations from stakeholders until April, 25.