As it wags its finger at the NSA for amassing a toolbox for breaking cybersecurity defenses in products built by technology companies, Microsoft at the same time is calling on the government to regulate privacy and security in the Internet of Things market, a huge growth area for the company’s cloud business.
Government will have to get involved in IoT security, Sam George, the company’s director of engineering for Azure IoT, said Tuesday while sitting on a panel at IoT World, the IoT industry’s big annual conference taking place this week in Silicon Valley.
Security is one of the biggest challenges in the budding IoT space, as companies rush products to the hot new market. Currently the “bar is low” for IoT security, George said.
More connected devices means a larger attack surface that’s more difficult to secure. The biggest and clearest example of the threat was last year’s DDoS attack on the DNS service provider Dyn (now owned by Oracle), when an army of compromised IoT devices, including CCTV cameras and DVR recorders, was hijacked and used to flood the provider’s data centers with requests, effectively disabling web properties that relied on its services to let computers know how to find them on the internet.
The attack on Dyn by the so-called Mirai botnet was only the most prominent example. Not long before it happened, cybersecurity company Symantec released a report saying the number of DDoS attacks exploiting IoT devices had been rising for some time, with the record number of attacks recorded in 2015. (The report came one month prior to the Dyn incident, and the company hasn’t yet released a similar report for 2016.)
Malware that targets IoT devices exploits vulnerabilities like unchanged default passwords and outdated firmware and often goes unnoticed for long periods of time, according to Symantec:
“Embedded devices are often designed to be plugged in and forgotten after a very basic setup process. Many don’t get any firmware updates, or owners fail to apply them, and the devices tend to only be replaced when they’ve reached the end of their lifecycle. As a result, any compromise or infection of such devices may go unnoticed by the owner, and this presents a unique lure for the remote attackers.”
IoT Regulation on Government’s Radar
Select federal agencies that oversee specific sectors already regulate some areas of the IoT market. The Federal Aviation Administration, for example, regulates drones, while the National Highway Traffic Safety Administration regulates autonomous vehicles and vehicle-to-vehicle communication technology, according to the first comprehensive report on IoT by the Government Accountability Office, released this month.
Both federal and executive branches of the US government have been considering regulation of IoT devices or data, according to the report. Ongoing efforts include a review of the government’s role in IoT by the National Telecommunications and Information Administration and the Developing Innovation and Growing the Internet of Things Act (DIGI Act), introduced in both congressional bodies, which would “require the Department of Commerce to convene a working group of federal stakeholders to provide recommendations to Congress on the proliferation of the IoT.”
Big IoT User Expects Secure Products from Vendors
The IoT World panelists weren’t all on the same page. Alan Boehme, chief innovation officer at Coca-Cola, said government regulation would take too long to materialize, and that he would prefer an industry-driven effort to create some security standards in the space.
Coca-Cola, he said, is a “huge” user of Microsoft’s IoT technologies, using them to collect and manage data from 15 million vending machines and a fleet of trucks that’s bigger than all of UPS and FedEx trucks combined. “We have a lot of ‘Things,’” he said.
As a big technology buyer, Boehme said he expects the vendors to make sure their products have all the appropriate cyber safeguards in place.
As Attacks Rise, Regulation May Be Inevitable
Another panelist, Stuart McGuigan, CIO at Johnson & Johnson, agreed with Microsoft’s George. In his employer’s business, which nowadays is heavily focused on healthcare technology, security can be a matter of life and death, but it’s also closely linked to an already heavily regulated issue: patient privacy. Put simply, a poorly secured connected device in a healthcare facility can become an entry point for gaining access to personal patient data, compromising the patients and causing huge fines for the organization.
“This is where – and I say this with a lot of sincerity – I love regulation,” McGuigan said, adding that regulation in the IoT space may be inevitable, as large-scale cyberattacks become more frequent, causing public outcry for laws that will govern the way IoT networks are protected. The pace of attacks “is accelerating, and unfortunately we’re going to see regulation,” he said.