Just Like Old Days: IOT Security Pits Regulators Against Market

A panel discussion at the Security of Things Forum debated the need for regulation to ensure the security and privacy of connected devices.

CAMBRIDGE, Mass. – Listening to today’s privacy panel at the Security of Things Forum, you might have thought you were beamed back to the early 2000s: government people hinting that legislation might be the ultimate solution for security and privacy concerns when it comes to embedded computers and connected things, with enterprise security officers countering that market pressures will dictate the integrity of devices, software and data.

“The answer is that between the regulator piece and the consumer confidence and trust piece, we have a lot of incentive to get it right,” said Peter Lefkowitz, chief privacy officer at GE. Lefkowitz confessed that despite the presence of Federal Trade Commission commissioner Julie Brill on the panel—along with Northeastern University law professor Andrea Matwyshyn—and the FTC’s recent court-awarded authority to punish companies for lax security, breached companies still worry more about being on the front page of the Wall Street Journal than about fines levied by the government.

“I don’t agree that we need second, third and fourth parties looking at security and privacy,” Lefkowitz said.

The CPO said that GE Aviation, for example, follows standards for airplane engine design that have been in place for a long time, and that a government seal of approval, for example, doesn’t go a long way toward improving security that’s already in place.

“Our guys who do security for us have been doing it in a regulated space for a long time,” Lefkowitz said. “So is there an important place when putting out connected baby monitors to say to consumers ‘I’ve got a seal?’ Yes. Is it as meaningful to us when we have seal on the engine of a Boeing plane? Not so much. We need trust, validation and confidence of the public and customers, but there are lots of ways to get there and it’s going to be context dependent.”

Brill’s concern, however, is of course consumers’ rights and concerns, and her job is to figure out how to balance the benefits and risks of connected things, in particular from a privacy perspective when everything from Fitbits, to MRI machines, to smart thermostats collect data on a person’s health, location, buying habits and much more. In fact, an FTC report released in January outlining the benefits and risks of connected devices said that 10,000 homes using a home automation system could generate upwards of 150 million data points a day. Brill said securing those devices against hackable vulnerabilities should be the top priority for device makers and security researchers should continue to seek out vulnerabilities and make these devices sturdier by doing so.

“There is a great desire in D.C. to ensure that IOT has the opportunity to flourish,” Brill said. “We’re listening to academics and researchers as to the tremendous opportunity IOT presents to improve health services, transportation, the environment, etc. We get that.”

The risks, however, is the security of the pervasive, sometimes intimate, data that’s being collected via connected devices in the home and via wearables.

“This increases the privacy concerns we’re already dealing with,” Brill said. “Job one is security because of the all the vulnerabilities we’ve seen. Job two is to figure out how to deal with privacy issues when many objects that are connected don’t have a user interface. That presents challenges to give notice and choice in the usual way.”

On the business side, Lefkowitz echoed some of the same concerns that IT vendors did in the early days of security and privacy regulation, primary among those the possibility that over-regulating would stifle innovation.

“We need to make sure if we are going to develop rules focused on security, that there is a much more involved and complicated discussion we need to have over time with industry regulators and the security community to make sure we get it right and don’t break down the possibility of evolution and building in this space.”

Suggested articles

Discussion

  • John Bison on

    Perhaps the answer is not legislation to follow security policy as much as to enforce accountability. I can't help but to think HIPAA a total success, and the reason why is not the levying of fines as much as the potential for personal accountability and responsibility in the CIO, as enforced by the possibility of jail time. Ultimately, in this way the CIO or other executive has "exposure", and will do a CYA, i.e. "do the right thing" through self interest. Company fines aren't personal, jail time is...
  • Jarrod Chesney on

    They should have a mandatory software update mechanisms in place, so exploits can be fixed WHEN they are found. Most vendors won't want to go back and support,fix,deploy code they have written for last years appliances anyway, it's a bit of a doomed scenario. Just take those hardware modem routers for example, I don't know of many people who even know what firmware is, let alone update their modem routers, and thats IF the vendor bothers to fix a known exploit and release an update for something they manufactured 3 years ago.
  • Paul Prescott on

    Absense of oversight to protect consumer data allows understatement of actual losses to you and I.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.