"There are more devices and more types of devices, so this just gives you more ways for people to track you or hurt you," Corman, a long-time security expert and cofounder of I Am The Cavalry, says. "What we've done is blindly assume that [adding software and connectivity] is always good. And we're making really horrible, horrible choices."
Corman founded IATC—a cybersecurity research non-profit focused on reducing IoT-related public safety risks—with security researcher Nick Percoco at a 2013 hacker conference. Medical devices are a big area of concern for Corman and his group. Besides vulnerable insulin pumps and pacemakers, hacker-researchers have shown high-tech hospital equipment—from Bluetooth-enabled defibrillators to remotely controlled drug infusion drips—could be manipulated toward grievous, even deadly, ends. IATC is also keeping an eye on connected cars, home security and automation systems and "smart" public infrastructure, like utility grids and traffic control.
[...]
"The majority of the security industry has been focused on private sector, protecting a bank or credit cards," points out Corman. As software started springing up in insulin pumps and cars, he became more concerned. "I’m thinking, 'Guys, we can’t even secure credit cards with $80 billion of our best and brightest—why are we putting dependencies in areas that can kill people?'"
Through IATC, Corman and a network of volunteer cybersecurity experts and whitehat hackers have developed a five-point list of standards for connected cars and have started collaborating with the Society of Automotive Engineers. He plans to release similar guidelines for other "life and limb" applications of the technology, including medical devices and public infrastructure.
But security remains an optional pursuit for manufacturers. "IoT technologies in general don’t have good security," says Susan Landau, faculty member at Worcester Polytechnic Institute and a distinguished scholar on cybersecurity and privacy issues. "There are no legal frameworks that demand good security. We’re racing ahead yet again without putting the security and privacy in."
[...]
Tien suggests that the fact that the well-meaning motivation that powers data collection in public places—for "smart city" initiatives, for example—helps normalize the Big Brother-esque creepiness of Big Data.
"There is a real attraction to what I would call dangerous surveillance practices when those practices are aimed at people and their everyday lives and trying to solve urban problems," he says. "If you associate the surveillance with Dick Cheney it’s bad; if you associate the surveillance with Bill de Blasio that is another thing."
[...]
President Obama’s administration has taken up cybersecurity as a national safety and security issue with a recent push to enlist the help of private industry. In January, Obama proposed legislation that would help shield companies that share online-threat data with the government from lawsuits, and last month he signed an executive order that urges (but does not require) companies to share information on cybersecurity threats more broadly, in the interest of improving threat protection systems.
[...]
Corman and other experts agree that the FTC’s broad recommendations for IoT manufacturers—build security in at the outset, implement lifecycle monitoring, train employees in security—are on the right track. But with the industry consigned to self-regulation for now, the current growing pains of data, security, and privacy within the IoT are likely to persist.
"We’ve moved into a completely new world," says Landau. "We are facing massive losses of privacy and, until we learn how to operate in it—we, the public, and we, the government—getting protection for it is going to be awkward. Or more than awkward."
See more at: fastcompany.com
No comments:
Post a Comment