Manufactures of smart devices need to strengthen their security, a panel of experts said Monday, challenging creators of the growing “internet of things” industry to impose minimum standards on their products.
A group of leaders from government and industry, speaking at a June 18 event held in the Woodrow Wilson Center, said that recent cyberattacks have revealed that connected products present a stark security risk. The suggestion of a political solution was laughed at.
“We have many new and less experienced device manufacturers out there,” said Jing de Jong-Chen, general manager for global cybersecurity at Microsoft. She suggested close collaboration between manufacturers to set standards for device security.
“Every device you ship you need to consider what happens when there is an attack on your device,” she said, emphasizing a focus on the entire “life cycle of a device.”
Ron Ross, a fellow at the National Institute of Standards and Technology, said that the increasing complexity of smart devices was driving product insecurity. “Complexity equals attack surface,” Ross said, using the 90 million lines of code in the new Ford F-150 pick-up truck as an example of products that rely on increased digital coding.
Popular connected devices include watches, automobiles and smart appliances. But, based on previous security lapses involving connected devices, the potential for harm is as limitless as the internet itself.
In one example, a high-roller database of a casino was reportedly hacked through a thermometer in the lobby’s aquarium. An army of smart devices was hacked and used in a distributed denial-of-service (DDoS) attack that shut down major portions of the internet for hours in October 2016. Cardiac devices like pacemakers and defibrillators made by St. Jude’s Medical could be taken over, according to a 2017 Food and Drug Administration report. (The company subsequently created a software patch.)
But if there was ever a belief that industry leaders were waiting for governments to step in and impose minimum security standards on smart devices, the sounds of laughter served as a reminder that the private sector looks to control its own destiny.
At the suggestion of a political solution, Jong-Chen and other members in the audience rejected it with a smile and chuckles.
Federal oversight and support of smart devices is spread across an alphabet soup of at least 11 different federal agencies, according to a 2017 Government Accountability Office report. “As new and more ‘things’ become connected, they increase not only the opportunities for security and privacy breaches, but also the scale and scope of any resulting consequences,” the report said.
Congress has shied away from regulating smart devices.
Last week, a House subcommittee voted for the Secretary of Commerce to study the state of the internet-connected devices industry. It now faces a full committee vote. A Senate bill introduced last year would require that smart devices purchased by the U.S. government meet certain security requirements, but it has stalled. Sen. Rob Warner, D-Va., told Reuters that he recognized the hesitation to regulate the smart-device industry.
“We’re trying to take the lightest touch possible.”