Cybersecurity in the internet of things is a game of incentives
Cybersecurity was the virtual elephant in the showroom at this month’s Consumer Electronics Show in Las Vegas. Attendees of the annual tech trade show, organized by the Consumer Technology Association, relished the opportunity to experience a future filled with delivery drones, autonomous vehicles, virtual and augmented reality and a plethora of “Internet of things” devices, including fridges, wearables, televisions, routers, speakers, washing machines and even robot home assistants.
Given the proliferation of connected devices—already, there are estimated to be at least 6.4 billion—there remains the critical question of how to ensure their security. The cybersecurity challenge posed by the internet of things is unique. The scale of connected devices magnifies the consequences of insecurity. Compromised devices can be organized into “botnets” and used to disrupt internet service of users anywhere on the globe. Such distributed denial of service attacks are increasing in number and frequency, with a 138 percent increase since November 2015 in attacks of more than 100 gigabits per second. Smart firewalls can identify and shut down compromised devices, discover malicious patterns and adapt to new threats.
Some networked products are designed to solve the security problems their internet-connected kin create. One such device, Cujo, sells peace-of-mind cybersecurity solutions for connected devices to consumers. The Cujo team at CES demonstrated their smart firewall, which connects to a router upstream of other internet-connected devices in a home. Cujo also blocks malicious websites and allows users to implement parental controls, filter content and schedule internet use. The felicitous demo at Cujo’s booth revealed how to block someone from accessing Twitter using home Wi-Fi. That fictional someone’s username? Donald Trump.
Cujo samples metadata—information about IP addresses and ports, amount of bandwidth used, packet count and connection states—from device traffic and sends the encrypted samples to the cloud for analysis. Machine-learning algorithms then analyze the data to build models and find insights without specific direction. In essence, users get a cloud-based, artificially intelligent security assistant. The inferences Cujo can draw from its database could be used to identify common attack vectors or vulnerable devices and help to vaccinate networks. While information about incidents is likely to remain proprietary to the company, knowing that these vulnerabilities exist would benefit other manufacturers, researchers, cyber insurers and consumers generally.
Cujo is not the only firm offering aftermarket security solutions for connected devices. Dojo is another router-attachment that monitors device traffic and alerts consumers to anything fishy. BitDefender Box and Securifi’s Almond 3 Wi-Fi system made appearances at CES, along with Symantec unveiling its Norton Core router, all of which boast security benefits for the internet of things. Market problems are, in fact, opportunities for entrepreneurs to fill the gap.
While add-on cybersecurity that only catches problems after the fact is not an ideal solution, devices like Cujo make it harder for malware to remain unidentified. Given sufficiently broad adoption, hackers will have to invent new malware and find new attack vectors constantly. The time and money such efforts cost may be enough to deter them.
Off the showroom floor, pre-emptive cybersecurity solutions were a lively topic of discussion. On the first day of CES, Online Trust Alliance released the second version of its IoT Trust Framework, which serves as a risk assessment guide for stakeholders. It sketches device design requirements and security processes, and serves as a starting point for future Internet of things certification programs.
The framework reflects input from industry players like ADT, Microsoft, Symantec and Verisign, as well as government agencies like the departments of Commerce and Homeland Security, the Federal Communications Commission and Federal Trade Commission. Third-party organizations such as the Consumer Technology Association and Center for Democracy & Technology also have contributed comments and insight.
The National Telecommunications and Information Administration’s recent green paper on the Internet of things emphasizes the role the Commerce Department could play in supporting development of a competitive, secure and trustworthy environment. The paper focuses on the department’s ability to promote standards and bring people together to address policy concerns. Most importantly, it recognizes that new market entrants will need room to experiment and mature.
There will be no single omnipotent cybersecurity fix for the internet of things. New cybersecurity devices are part of the solution, but standards set out by government agencies also will play a role. As the technologies continue to evolve, policymakers should be careful not to construct restrictive regulatory regimes, while seeking out ways to reward security-conscious products with certifications, promote the adoption of cyber insurance, encourage firms to share information about potential threats, and to develop and adopt best practices voluntarily.
Image by Kobby Dagan
