Se­cu­rity needed in world of in­ter­net-en­abled things

Daily Local News (West Chester, PA) - - BUSINESS - By Tami Ab­dol­lah

WASH­ING­TON » The Obama ad­min­is­tra­tion urged com­pa­nies on Tues­day to make mil­lions of de­vices safe from hack­ing, un­der­scor­ing the risks posed by an in­creas­ingly be­wil­der­ing ar­ray of in­ter­net-con­nected prod­ucts per­me­at­ing daily life, cov­er­ing ev­ery­thing from fit­ness track­ers to com­put­ers in au­to­mo­biles.

In a re­port ob­tained by The As­so­ci­ated Press, the Home­land Se­cu­rity Depart­ment de­scribed run­away se­cu­rity prob­lems with de­vices that have been made in­ter­net-ca­pa­ble in re­cent years, a group that in­cludes med­i­cal im­plants, sur­veil­lance cam­eras, home ap­pli­ances, dig­i­tal video recorders, ther­mostats and baby mon­i­tors.

It said they posed “sub­stan­tial safety and eco­nomic risks,” rec­om­mend­ing im­me­di­ate ac­tion by soft­ware and hard­ware de­vel­op­ers, ser­vice providers, man­u­fac­tur­ers and com­mer­cial and gov­ern­ment buy­ers. No spe­cific penal­ties were pro­posed for man­u­fac­tur­ers fail­ing to com­ply. No blame was placed on con­sumers buy­ing and op­er­at­ing such prod­ucts.

“The grow­ing de­pen­dency on net­work-con­nected tech­nolo­gies is out­pac­ing the means to se­cure them,” Home­land Sec­re­tary Jeh John­son said.

The depart­ment’s strat­egy rep­re­sents an at­tempt to or­ga­nize the so-far scat­tered cy­ber­se­cu­rity ef­forts for the cat­e­gory of de­vices known as the “in­ter­net of things.” It comes less than a month af­ter hack­ers har­nessed an army of 100,000 in­ter­net­con­nected de­vices around the world, such as DVRs and secu-

rity cam­eras, to at­tack Dyn Co., which helps route in­ter­net traf­fic to its des­ti­na­tion. It caused tem­po­rary in­ter­net out­ages to sites that in­cluded Twit­ter, PayPal, Pin­ter­est, Red­dit and Spo­tify.

Such threats are likely to in­crease, U.S. of­fi­cials warn.

“Se­cur­ing the in­ter­net of things has be­come a mat­ter of home­land se­cu­rity,” John­son said. Tues­day’s guid­ance, he added, should help com­pa­nies “make in­formed se­cu­rity de­ci­sions.”

The re­port cul­mi­nates a six-month re­view by Robert Sil­vers, the as­sis­tant home­land se­cu­rity sec­re­tary for cy­ber pol­icy, who co­or­di­nated with cy­ber­se­cu­rity ex­perts, in­dus­try as­so­ci­a­tions and branches of the gov­ern­ment such as the Jus­tice and State de­part­ments. They spoke about pos­si­bly hold­ing com­pa­nies ac­count­able through prod­uct li­a­bil­ity prin­ci­ples and how to cre­ate a uni­form rule­book for se­cur­ing these de­vices.

“We need to have a very se­ri­ous na­tional con­ver­sa­tion about what the ap­proach is, and we need to do it ur­gently,” Sil­vers said.

The in­ter­net of things is de­cen­tral­ized and enor­mously com­plex, mak­ing it dif­fi­cult to reg­u­late. A cam­era with on­line ca­pa­bil­i­ties may be de­signed in Cal­i­for­nia, man­u­fac­tured in China with parts from Tai­wan and sold to some­one who op­er­ates it on Ger­many’s net­work. Sil­vers said there is no ben­e­fit to “190 dif­fer­ent na­tional ap­proaches.”

Some in­dus­trial sec­tors have moved for­ward with their own rec­om­men­da­tions. In Septem­ber, the Na­tional High­way Traf­fic Safety Ad­min­is­tra­tion pub­lished guide­lines for self-driv­ing cars. The Food and Drug Ad­min­is­tra­tion pub­lished its own guid­ance for med­i­cal de­vices in Jan­uary.

For more than a decade, com­pa­nies have added in­ter­net ca­pa­bil­i­ties to de­vices as an ad­di­tional fea­ture, some­times with­out se­cu­rity con­sid­er­a­tions. But adding se­cu­rity in whole­sale fash­ion af­ter­ward is of­ten more costly. It is also more com­pli­cated when change stan­dard in­dus­try prac­tices.

Some fixes are eas­ier than oth­ers. The gov­ern­ment urged com­pa­nies to en­sure se­cu­rity set­ting are turned on by de­fault. Unique pass­words for each de­vice should be re­quired so hack­ers can’t use a sin­gle stolen pass­word to con­trol thou­sands or more de­vices. Man­u­fac­tur­ers ought to make prod­ucts whose vul­ner­a­bil­i­ties can be fixed re­motely.

“You can’t rely on a con­sumer to spend three hours to up­grade her toaster soft­ware. It’s not go­ing to hap­pen,” Sil­vers said.

The gov­ern­ment also high­lighted the need for an “end-of-life strat­egy” for de­vices that aren’t cre­ated to last in­def­i­nitely. As a re­sult, they won’t be patched and up­dated for­ever, lead­ing to new vul­ner­a­bil­i­ties for con­sumers us­ing de­vices beyond cer­tain ex­pi­ra­tion dates.

The rec­om­men­da­tions were re­leased be­fore a con­gres­sional hear­ing Wed­nes­day on the role of con­nected de­vices in cy­ber­at­tacks. No gov­ern­ment of­fi­cials were ex­pected to tes­tify.

To pre­vent more at­tacks, the gov­ern­ment must in­crease se­cu­rity reg­u­la­tions for “what are now crit­i­cal and life-threat­en­ing tech­nolo­gies,” ac­cord­ing to Bruce Sch­neier, a fel­low at the Berk­man Cen­ter for In­ter­net and So­ci­ety at Har­vard Law School and a well-known cy­ber­se­cu­rity ex­pert.

“It’s no longer a ques­tion of if, it’s a ques­tion of when,” Sch­neier said in pre­pared re­marks for the hear­ing.

Newspapers in English

Newspapers from USA

© PressReader. All rights reserved.