IoT Security After “The Interview”

Posted on 22nd December 2014 in defense, Internet of Things, M2M, management, privacy, security, US government

Call me an alarmist, but in the wake of the “Interview” catastrophe (that’s how I see it in terms of both the First Amendment AND asymmetrical cyberwarfare), I see this as a clarion call to the #IoT industry to redouble efforts to make both security AND privacy Job #1.

Here’s the deal: if we want to enhance more and more parts of governmental, commercial, and private lives by clever IoT devices and apps to control them, then there’s an undeniable quid pro quo: we MUST make these devices and apps as secure as possible.

I remember some bright young entrepreneurs speaking at a recent wearables conference, where they apologized for not having put attention on privacy and security yet, saying they’d get to it early next year.

Nope.

Unacceptable.

Security must be built in from the beginning, and constantly upgraded as new threats emerge.  I used to be a corporate crisis manager, and one of the things that was so hard to convince left-brained, extremely rational engineers about was that just because fears were irrational didn’t mean they weren’t real — even the perception of insecure IoT devices and apps has the potential to kill the whole industry, or, as Vanity Fair‘s apocalyptic “Look Out, He’s Got a Phone” article documented, it could literally kill us. As in deader than a doornail.

This incident should have convinced us all that there are some truly evil people out there fixated on bringing us to our collective knees, and they have the tech savvy to do it, using tools such as Shodan. ‘Nuff said?

PS: Here’s what Mr. Cybersecurity, Bruce Schneier, has to say on the subject. Read carefully.

My #IoT predictions for 2015

I was on a live edition of “Coffee Break With Game-Changers” a few hours ago with panelists Sherryanne Meyer of Air Products and Chemicals and Sven Denecken of SAP, talking about tech projections for 2015.

Here’s what I said about my prognostications:

“I predict that 2015 will be the year that the Internet of Things penetrates consumer consciousness — because of the Apple Watch. The watch will unite both health and smart home apps and devices, and that will mean you’ll be able to access all that usability just by looking at your watch, without having to fumble for your phone and open a specific app.

If Apple chooses to share the watch’s API on the IFTTT – If This Then That — site, the Apple phone’s adoption – and usability — will go into warp speed. We won’t have to wait for Apple or developers to come up with novel ways of using the phone and the related devices — makers and just plain folks using IFTTT will contribute their own “recipes” linking them. This “democratization of data” is one of the most powerful – and under-appreciated – aspects of the IoT. In fact, Sherryanne, I think one of the most interesting IoT strategy questions for business is going to be that we now have the ability to share real time data with everyone in the company who needs it – and even with supply chain and distribution networks – and we’ll start to see some discussion of how we’ll have to change management practices to capitalize on this this instant ability to share.

(Sven will be interested in this one) In 2015, the IoT is also going to speed the development of fog computing, where the vast quantities of data generated by the IoT will mean a switch to processing data “at the edge,” and only passing on relevant data to the cloud, rather than overwhelming it with data – most of which is irrelevant.

In 2015 the IoT is also going to become more of a factor in the manufacturing world. The success of GE’s Durathon battery plant and German “Industry 4.0” manufacturers such as Siemans will mean that more companies will develop incremental IoT strategies, where they’ll begin to implement things such as sensors on the assembly line to allow real-time adjustments, then build on that familiarity with the IoT to eventually bring about revolutionary changes in every aspect of their operations.

2015 will also be the year when we really get serious about IoT security and privacy, driven by the increasing public concern about the erosion of privacy. I predict that if anything can hold back the IoT at this point, it will be failure to take privacy and security seriously. The public trust is extremely fragile: if even some fledgling startup is responsible for a privacy breach, the public will tend to tar the entire industry with the same brush, and that could be disastrous for all IoT firms. Look for the FTC to start scrutinizing IoT claims and levying more fines for insufficient security.”

What’s your take on the year ahead? Would love your comments!

In case you missed it, great panel today on the IoT and government

Posted on 19th March 2014 in government, Internet of Things, US government

In case you missed it, old friend Christopher Dorobek put together a great (in all modesty, LOL …) panel today for his “DorobekINSIDER” series on GovLoop about how the Internet of Things will transform government.  I’ll try to summarize it in a later post, but you can listen in here!

Tweeting the IoT Summit!

Posted on 1st October 2013 in government, Internet of Things, M2M, privacy, security

I Tweeted throughout the IoT Summit today, cryptic as the comments may have been. You can check them out at @data4all.  Learned a great deal, and picked up several nice examples for the e-book I’m writing on implications for corporate management of the IoT!

Enjoy.  Will do the same tomorrow!

Could IoT Allow Do-over for Privacy, Security — & Trust?

Posted on 13th September 2013 in communication, management, privacy, security

Expect to be reading a lot here about privacy and security between now and my panel on those issues at the IoT Summit in DC, Oct. 1 & 2, as I prep to ask the panel questions!

Here’s another, from Stacy Higginbotham (BTW, she does a great podcast on IoT issues!), based on a conversation with ARM CTO Mike Muller. It’s reassuring to see that this IoT-leading firm is taking privacy and security seriously. Even more refreshingly, theirs is a nuanced and thoughtful view.

Muller told Higginbotham that IoT vendors should learn from some of the missteps on privacy on the Web so far, and make amends:

“’We should think about trust as who has access to your data and what they can do with it. For example, I’ll know where you bought something, when you bought it, how often and who did you tweet about it.

“When you put the long tail of lots of bits of information and big data analytics associated with today’s applications we can discern a lot. And people are not thinking it through. … I think it’s the responsibility of the industry that, as people connect, to make them socially aware of what’s happening with their data and the methods that are in place to make connections between disparate sets of data (my emphasis). In the web that didn’t happen, and the sense of lost privacy proliferated and it’s all out there. People are trying to claw that back and implement privacy after the fact.”

Higginbotham adds that “… what troubles Muller is that today, there’s nothing that supports trust and privacy in the infrastructure associated with the internet of things.”

What struck me, as someone who used to earn his living doing corporate crisis management, is that one of the critical issues in trust (or lack thereof) is guilt by association may not be logically valid, but is emotionally powerful: if people’s preconception of IoT privacy and security standards is that they’re simply an extension of Internet ones, there’s likely to be trouble.

She goes on to differentiate between security, privacy — and trust.

“Trust is the easiest to define and the hardest to implement. It relies on both transparency and making an effort to behave consistently ….  When it comes to connected devices and apps, trust is probably most easily gained by explaining what you do with people’s data: what you share and with whom. It might also extend to promises about interoperability and supporting different platforms. Implicitly trust with connected devices also means you will respect people’s privacy and follow the best security practices….

“Privacy is more a construct of place as opposed to something associated with a specific device. So a connected camera on a public street is different from a connected camera inside your home. It’s easy to say that people shouldn’t be able to just grab a feed from inside your home — either from a malicious hack or the government (or a business) doing a random data scrape. But when it comes to newer connected devices like wearables it gets even more murky: Consider that something like a smart meter can share information about the user to someone who knows what to look for.

“So when thinking about the internet of things and privacy, it’s probably useful to start with thinking about the data the device generates….

(As for security:) “To protect privacy when everything is connected will require laws that punish violations of people’s privacy and draw lines that companies and governments can’t step over; but it will also require vigilance by users. To get this right, users should be reading the agreements they click through when they connect a device, but companies should also create those agreements, especially around data sharing transparent, in a way that inspires trust.

Governments and companies need to think about updating laws for a connected age and set criteria about how different types of data are transported and shared. Health data might still need the HIPAA-levels of regulations, but maybe looser standards can prevail for connected thermostats.”

Sounds to me as if there’s a role in these complex issues for all of us: vendors, government, and users.

But the one take-away that I have from Muller’s remarks is that IoT vendors must realize they have to earn users trust, and that’s going to require a combination of technical measures and unambiguous, plain-English communication with users about who owns their data and how it will be used. To me, that means not hiding behind the lawyers and agate-type legal disclaimers, but clear, easy-to-understand declarations about users’ rights to their data and companies’ need to directly ask them for access, displayed prominently, with the default being that the user completely denies access, and must opt in for it to be shared. 

What do you think?

Higginbotham concludes that “we need to stop freaking out about the dangers of connected devices and start having productive discussions about implementing trust and security before the internet of things goes the way of the web. Wonderful, free and a total wild west when it comes to privacy.” Hopefully, that’s what will happen during our October 1st panel.

Good Paper by Mercatus on IoT Privacy and Security

Posted on 12th September 2013 in privacy, security

I’m politically on the liberal, not the libertarian side, but I’ve come to respect the libertarian Mercatus Center, in large part because of the great work Jerry Brito has done there on governmental transparency.

As part of my preparation to moderate a panel on security and privacy at the IoT Summit on October 1st in DC, I just read a great paper on the issue by Mercatus’ Adam Thierer.

In comments submitted to the FTC for its November workshop on these issues titled “Privacy and Security Implications of the Internet of Things,” Thierer says “whoa” to those who would have the FTC and others quickly impose regulations on the IoT in the name of protecting privacy and security.

Opposing pre-emptive, “precautionary” regulations, he instead argues for holding back:

“…. an “Anti-Precautionary Principle” is the better default here and would generally hold that:

“1. society is better off when technological innovation is not preemptively restricted;

“2. accusations of harm and calls for policy responses should not be premised on hypothetical worst-case scenarios; an

“3. remedies to actual harms should be narrowly tailored so that beneficial uses of technology are not derailed.”

He reminds us that, when introduced, such everyday technologies as the phone (you know, the old  on-the-wall kind..) and photography were opposed by many as invasions of privacy, but social norms quickly adapted to embrace them. He quotes Larry Downes, who has written, “After the initial panic, we almost always embrace the service that once violated our visceral sense of privacy.”

Rather than imposing limits in advance, Thierer argues for a trial-and-error approach to avoid unnecessary limits to experimentation — including learning from mistakes.

He points out that social norms often emerge that can substitute for regulations to govern acceptable use of the new technology.

In conclusion, Thierer reminds us that there are already a wide range of laws and regulations on the book that, by extension, could apply to some of the recent IoT outrages:

“…  many federal and state laws already exist that could address perceived harms in this context. Property law already governs trespass, and new court rulings may well expand the body of such law to encompass trespass by focusing on actual cases and controversies, not merely imaginary hypotheticals. State ‘peeping Tom’ laws already prohibit spying into individual homes. Privacy torts—including the tort of intrusion upon seclusion—may also evolve in response to technological change and provide more avenues of recourse to plaintiffs seeking to protect their privacy rights.”

Along the lines of my continuing screed that IoT manufacturers had better take action immediately to tighten their own privacy and security precautions, Thierer isn’t letting them off the hook:

“The public will also expect the developers of IoT technologies to offer helpful tools and educational methods for controlling improper usages. This may include ‘privacy-by-design’ mechanisms that allow the user to limit or intentionally cripple certain data collection features in their devices. ‘Only by developing solutions that are clearly respectful of people’s privacy, and devoting an adequate level of resources for disseminating and explaining the technology to the mass public’ can industry expect to achieve widespread adoption of IoT technologies.”

So get cracking, you lazy IoT developers (yes, you smirking over there in the corner…) who think that security and privacy are someone else’s business: if you don’t act, regulators may step in, and stiffle innovation in the name of consumer protection. You’ll have no one to blame but yourselves.

It’s a good read — hope you’ll check it out!

 

The Hill Publishes Op-Ed on IoT Security and Privacy

Posted on 11th September 2013 in privacy, security, US government

Earlier this week, The Hill, the highly-respected Capitol Hill newspaper, published an op-ed co-authored by Chris Rezendes of INEX Advisors and me on the ever-important topic of IoT privacy and security (or lack thereof!).

In it, we warned that “on the heels of the NSA scandal, news of security problems’ threat to privacy may cripple the IoT before it achieves its promise.”

We went on to explain that:

“The record on security and privacy is not reassuring.

“The Obama administration has almost entirely ignored the Internet of Things (by contrast, it’s frequently mentioned by the Chinese leadership, which has invested massive amounts in the technology) . The president has never mentioned it, and the FTC is the only federal agency that has begun to protect IoT privacy and security.”

We called for public-private collaboration to make IoT security and privacy a priority:

“Individual companies must make privacy and security a priority. Opaque user agreements such as Facebook’s letting the service provider remarket or redeploy user data won’t be acceptable. A recent INEX study of one multi-billion industrial market revealing 96 percent of industrial equipment owner/operators believe they own data from their machines, and access to it is theirs to determine — not the machine’s builder or service providers that connect it. Customers must legally own their online data, determine who has rights to what, and sharing must be “opt in”, with ZERO sharing as the default.

“As for security, companies should explore Resilient Networking, a concept developed for the Department of Homeland Security framing new approaches to network/cyber security in more connected, distributed, automated, and dynamic digital networks.

“But individual efforts aren’t as important as collaborative ones, again, because of the data-sharing that is central to the IoT’s transformative power. We’re encouraged by formation of the IPSO Alliance and the IoT Consortium, which make security and privacy a priority.

“The president must also become involved in this issue. One reason is that the IoT will benefit government: cities worldwide are already applying the IoT, and it can make government in general more effective and responsive. Working closely with the private sector is a priority because 85 percent of the nation’s critical infrastructure, including the electric grid, pipelines and chemical plants, is in private hands, and is the focus of IoT initiatives such as a the “smart grid” to make them more interconnected and reliable – but also more vulnerable to a coordinated attack.”

That’s our opinion on this crucial issue. What’s yours?

P.S. A reminder that these issues will be front and center in  the panel on security and privacy that I will moderate at the IoT Summit, to be held October 1st and 2nd at the National Press Club in DC. Don’t miss it!

I’ll moderate D.C. panel on IoT privacy and security!

Posted on 5th September 2013 in privacy, security, Uncategorized

Huzzah!  As you know, I’ve been repeating the mantra that, as technological barriers such as battery size disappear, the most important obstacle threatening full development of the Internet of Things is the linked issues of privacy and security.

That’s why I’m quite honored to announce I’ll be hosting a panel on those issues at the 2013 M2M and Internet of Things Global Summit, to be held October 1 and 2 at the National Press Club in DC! 

It’s an impressive panel:

Other panels at the summit will discuss a related issue, device security; actualizing the IoT’s benefits; financing the IoT; IoT devices in the 4G era; and global standards.

Major speakers include:

  •  Edith Ramirez, Chairwoman, FTC
  • Chris Vein, Chief Innovation Officer, The World Bank
  • Kevin Petersen, Senior Vice President, Digital Life, AT&T
  • Ed Tiedemann, Fellow and Head of Standards, Qualcomm
  • David Hoffman, Director of Security Policy and Global Privacy Officer, Intel Corporation
  • Alicia Asín, Co-Founder and CEO, Libelium
  • Chad Jones, VP Product Strategy, Xively
  • Chris Rezendes, President, INEX Advisors
  • Doug Merritt, Senior Vice President, Product, Solutions & Industry Marketing, Cisco

It should be a great conference. Sign up now! See you there!

PS: What questions do you think I should ask the panelists?

BABY MONITOR HACKED: MAKE-IT-OR-BREAK IT MOMENT FOR #IoT!!

Posted on 15th August 2013 in health, home automation, Internet of Things, privacy, security

I’m hitting on the same subject, privacy and security, for two posts in a row because now there’s been an incident that really could jeopardize the future of the IoT!

Call me an alarmist if you will, but I say ignore it at your peril…

As blogged by GigaOm, ABC News reported this week on an incident where a hacker got access to a — this is getting repetitious — IoT product with laughable security.

This time, it wasn’t the main-stream media reporting just a friendly wake-up call

Foscam Baby Monitor

(literally and figuratively…) from a reporter about a vulnerability, or a general warning about possible threats to home and car: it was a story guaranteed to strike a primal fear in the heart of every parent: a threat to their infant!

 

Here’s what happened, according to ABC:

“A Houston couple is still shaken after saying they heard the voice of a strange man cursing and making lewd comments in the bedroom of their 2-year-old daughter.

“When Marc Gilbert and his wife Lauren entered the room, the voice cursed them as well.

“The creepy voice — which had a British or European accent — was coming from the family’s baby monitor that was also equipped with a camera. A hacker apparently had taken over the monitor.”

Are you a parent? If so, don’t tell me that wouldn’t have your blood boiling!

Oh, BTW, ABC tossed in a reminder that baby monitors can be used by potential burglars

Once again, I’ll harken back to my days as a corporate crisis consultant to warn that this is precisely the kind of incident that is going to be repeated ad nauseum by privacy advocates and others to warn about the dangers of the IoT.

Even worse, those of who are immersed in the IoT 24/7 may not realize it, but I’d bet the majority of people worldwide still haven’t heard of the IoT. Is this the way we want them to find out about it???

So my parting advice would be to go out today and buy a Foscam baby monitor (heck, they’re probably giving them away now — who the heck would buy one?) and put it in a place of prominence on your CEO’s desk as a reminder that if you don’t take privacy and security seriously, the media will be quick to remind you…

 

CRUCIAL: more media coverage underscores need for IoT emphasis on privacy & security

Posted on 12th August 2013 in privacy, security

Sorry to keep harping on it, but two recent articles in high-visibility publications — The NY Times and Forbesunderscore my contention that security and privacy issues threaten to derail the IoT revolution before it really gets going.

I say that because I spent a decade as an award-winning corporate crisis communicator — on more than one occasion saving the corporate bacon of Fortune 100 firms that didn’t understand that the public isn’t always scrupulously logical when it comes to their fears. Illogical linkages are nonetheless real ones.

The current example of that is the flap over NSA surveillance. The most recent comprehensive public opinion survey, by Pew, shows that a majority of Americans are now concerned that the surveillance has gone too far:

“Among other things, Pew finds that ‘a majority of Americans – 56% – say that federal courts fail to provide adequate limits on the telephone and internet data the government is collecting as part of its anti-terrorism efforts.’ And ‘an even larger percentage (70%) believes that the government uses this data for purposes other than investigating terrorism.’ Moreover, ‘63% think the government is also gathering information about the content of communications.” That demonstrates a decisive rejection of the US government’s three primary defenses of its secret programs: there is adequate oversight; we’re not listening to the content of communication; and the spying is only used to Keep You Safe™.”

So what’s that have to do with the IoT?

Plenty!

Consider the beginning of Forbes reporter Kashmir Hill’s article on the security vulnerabilities of home automation systems, with the eye-catching title “When ‘Smart Homes’ Get Hacked: How I Haunted a Complete Stranger’s Home Via the Internet“:

“‘I can see all of the devices in your home and I think I can control them,’ I said to Thomas Hatley, a complete stranger in Oregon who I had rudely awoken with an early phone call on a Thursday morning.

“He and his wife were still in bed. Expressing surprise, he asked me to try to turn the master bedroom lights on and off. Sitting in my living room in San Francisco, I flipped the light switch with a click, and resisted the Poltergeist-like temptation to turn the television on as well.

“’They just came on and now they’re off,’he said. ‘I’ll be darned.'”

I’m convinced that people who are already alarmed about the NSA surveillance will not be enthusiastic about home automation, or the IoT in general, when they read that! If not overt, their minds will at least make a subliminal connection between the two stories, and they’re going to be afraid!

Add in former CIA Director David Petraeus’ enthusiasm for the IoT as a new arrow in the quiver of spycraft, and you’ve got the potential for a really-spooked public.

Here’s a major part of the problem, based on my crisis management background: engineers, more likely than not, are left-brained and analytical. As a result, their immediate reaction will be to demonstrate — very logically — why the two issues are completely different, and the IoT shouldn’t be tarred with the NSA’s abuses.

Hogwash.

The majority of Americans aren’t engineers, and they’re scared, so deal with it, or the IoT will be crippled.

I’ve just drafted an op-ed that I hope to place this week that argues privacy and security must be just as much an #IoT industry priority as is innovative technology. It says that the emphasis of IoT consortia such as the IPSO Alliance and the IoT Consortium on collaborative approaches to security are critical, because the essence of the IoT is on sharing of data, and that the Obama Administration must become active as well.

It concludes:

“The Internet of Things has truly remarkable potential to improve the economy’s efficiency, improve health care, and make our lives more comfortable and enjoyable. But if it’s security and privacy standards aren’t a top priority for government and industry, all of those benefits may be squandered. “

Don’t say I didn’t warn you!

PS: the second article I mentioned at the top was a considerably less provocative one in today’s New York Times. The fact that The Gray Lady of American Journalism is now following this issue should be a significant concern.