IoT and the US Congress, its a TRAP!

The US Government wants to get involved in IoT security. We all knew that was coming, NIST released a CPS or Cyber Physical System framework more than a year ago. But this might not be the best path for the Government to take.

First off, the reality of a deadlocked US Congress being able to act fast enough, logically enough and ultimately in a way that will benefit the entire industry is at best painful. Political reality tells me that the US Congress is the wrong group to legislate the security of IoT. NIST, in the Cyber Physical Systems framework had some great ideas, including some interesting concepts around security, but IoT is already out there. So, the cows are not in the barn, let’s not have congress slam the barn door shut.

Of course, the other sad reality of the US Congress passing laws is that all the other global organizations and governments will also have to weigh in. The best way to kill innovation is to strangle it with legislation.

We are at a cross roads now. Standing, as Frost once so eloquently wrote at a point in human history where there is a hard path and an easy path. Or to more directly paraphrase Mr. Frost, we have come upon a fork in the road. Which path should we choose?

Options, the worst thing to have. We could legislate the living daylights out of IoT devices and in so doing stifle innovation. We could, in a short run panic, choose to solve the problems we have today by blanketing them with laws. But what happens when we realize that we’ve already let the cows out of the barn, and closing the barn doors only means the ones that do return can’t get back in? We’ve effectively cut off our own arms with laws, to spite our face.

(Don’t scratch poison Ivy. It spreads if you scratch. Cut off your hand to prevent scratching).

That left, untraveled road looks interesting. Yes, there are risks. Yes, there is danger. We saw what one aggregated gamer could do less than a month ago. What happens when there are 20000000 angry gamers frustrated that there are no more Angry Bird updates and they all launch a Cyber-attack? Not, mind you that specifically Angry Brid users would do that, but a game devoted to throwing birds to knock over pigs has to have some other subliminal messaging.

I proposed (now more than a year ago) the concept of removable IoT device security. Where the security modules of the IoT device was actually removable. We could, with one simple rule decrease the security risks of the system quickly. Simply adding the required removable security component for IoT devices, no longer forcing companies, homes and users to replace their devices, just update their security hardware.

The other concept that we could look at is one that could be quickly implemented as well. Not by law but by innovation. Let’s say you have 100 IoT devices in your home (seems impossible – but you are actually probably really close to that now). Each of them today connects to your home network (wired or Wi-Fi) and chatters with their mother ship. The more they chatter the more they are hackable. The less they chatter the less useful they are. So, let’s change the reality of networks. We’ve spent the last 40 years building tootsie pop networks. Hard outer cores with soft chewy centers. What does the hacker want? The soft chewy center. How do they get it? They get a device to connect to and avoid the hard-outer shell. If you consider most home networks there really isn’t a hard-outer shell. So, getting into a corporate network is as simple as penetrating homes and hacking a home device. Once that device (say a connected printer) is hacked, once the user attaches to the printer for work, wham you are one step closer to the chewy center without doing anything other than hacking a printer. So, there are two things we can quickly do. The first is provide more in home security for users. In my NGO City Broker model one of the critical pieces going forward is the home security Blackbox. This allows the city to reduce the risk for home users by adding security on the perimeter of their network. To prevent the city from accessing devices on your network, your ISP would then provide a Natted router for your home use (simply put the router has a set of addresses, that are not public addresses.). The city device would inspect incoming and outgoing traffic to reduce the risk of attack, but would have no understanding of what is on the other side of the ISP’s router.

The other easy fix is the concept of who’s talking now. Given 100 devices, building intelligence into that concept and having the devices understand that there are many devices on your network. Then a random device opens the overall device connection. This random device then allows the city hub to notify you if a device is hacked (by simply knowing that you have 100 devices, device number 33 is currently the only one allowed to talk. It opened a connect to Samsung (verified DNS) but the other connection it opened was to something that isn’t verified). Increase security through simplicity. The harder we make it to attack, the more the attacker will move to easier ways..

.doc

Wondering if in fact legislation can do anything but kill innovation…