When companies design and develop IoT products, they often think and act in a microcosm. The eventual impact on the world at large is a secondary concern—and that's the root of many of the world's biggest cybersecurity issues today, FBI CISO Arlette Hart told her audience on the IoT World Europe stage at TechXLR8 last week.
"Connections are myriad and unexpected," she explained. "They mirror how we think, not how we plan." Every company might start with the best intentions of making their inventions and connected networks impenetrable—until this priority conflicts with achieving return on investment or beating a competitor to market. By the time these devices join the wider budding IoT ecosystem, keeping the desired level of security is easier said than done.
Three Cybersecurity Mantras, Relevant Worldwide
The FBI cybersecurity chief’s presentation broke down conveniently into three sections that aptly explain where the world is falling short at cybersecurity right now. As with most great keynote talks, each section was summarised into a concise, pithy statement.
"Cool trumps safe. Every single time."
It's hardly breaking news that cybersecurity is often an afterthought, particularly with technology products aimed at everyday consumers. Their makers prioritize "coolness" over safety, even more so since flashy IoT devices started making headlines. And despite several high-profile cyberattacks on devices like this in 2016, attitudes are changing at a glacial pace.
Hart noted that, while far from flawless, the U.S. federal government is more cautious with its data and technology, as are most other government bodies and industrial enterprises. She encouraged her audience to follow suit. "Technology doesn't care" whether it's being used by the correct people or for its original purpose, she said. Therefore, this responsibility lies with the technology's makers and owners.
"Unintended consequences lead to intentional compromises."
Next, Hart pointed to the bizarre reality we live in, where Furbys join mobile phones, computers and radios on the list of devices that can be compromised and used to illegally obtain data. In 1999, the National Security Agency allegedly banned Furbys from its offices, labeling them a threat to national security. This concern appears even more relevant today, as the smart toys market alone is a multibillion-dollar industry, churning out connected products capable of gathering way more information than the average consumer might expect.
Smart features might give the products in question a nice unique selling proposition, but the addition of unnecessary capabilities is rarely justified once the full scale of potential ramifications is considered. Target's infamous breach occurred when hackers found a back door into its key corporate systems—via an Internet-connected air conditioner. Hart gave this as a prime example of how connectivity can be taken too far, at great cost.
She said cybersecurity personnel need to wholly own every part of their company's network and make the final call on which devices need to be connected and which do not. "The capabilities should do what they are intended to do, and nothing else," she summarized.
"If you don't hear about incidents, that doesn't mean they aren't happening."
This topped Hart's list of widespread cybersecurity myths. Even people who read about hacks and attacks in the news seem unlikely to apply the lessons learned until they themselves or their companies are directly targeted by hackers.
"If I don't see security, it's working well" is another misconception many companies suffer from, Hart said. Too many decision makers assume their cybersecurity is being sufficiently maintained and updated when it isn't, and that when a product or system is cutting-edge, that means it's breach-proof.
Once a company has recognized it may be vulnerable, there's one final myth that plenty fall back on: "We'll figure it all out." Gartner’s claim that between now and 2020, 99% of exploited vulnerabilities will be ones previously known to security and IT professionals, refutes that myth. Identifying vulnerabilities is the initial step in a continuous, cautious process of education that the whole organization needs to buy into.
What the Future Holds
Hart closed with suggestions for what companies using IoT should do next. "Five years in federal government might be a million years in the world of IoT," the FBI cybersecurity head said. The agency and other government bodies understand the threat an insecure Internet of Things poses, but imposing legislation and standards globally will be a long and difficult process. Industry moves at a pace that government can't keep up with; industry players must take matters into their own hands and not turn a blind eye to the growing severity of this problem, she said.
Self-regulation is paramount, Hart continued, and is just now starting to take place. Those involved could become pioneers of an international culture of cyber-education and cyber-hygiene, where security maintenance is constant, everyone is vigilant, and buy-in is universal. This vision could be achievable, even if it currently feels lightyears away.
"Incidents will happen," Hart said, "so prepare and practice." As if it were a fire drill, every company needs to be thoroughly schooled in its incident response plan so that it’s not found wanting if, or rather when, a cyberattack happens.
Finally, collaboration is key. Transparency and cooperation across sectors and between would-be competitors is the secret ingredient that might just make cyber-competency achievable across the board.
"This is a team sport," Hart's final slide yelled in giant blue letters. "Get everyone involved!"