IoT insecurity: US govt summons tech bosses, bashes heads together

There are two things that everyone agrees on when it comes to the internet of things (IoT). First, security is a problem. And second, their approach is the best one.

The US government held a one-day meeting in Austin, Texas, today with the sole focus on a specific issue: the ability to upgrade and patch internet-connected devices.

It was this topic, noted staff from the National Telecommunications and Information Administration (NTIA) – an arm of the US Department of Commerce – that was top of the list of concerns when it held a public consultation on how and where the US government could and should help. It didn't take long to figure out why.

Everyone – and we mean everyone – is worried about the fact that there are billions of devices that now connect to the internet, with billions more in the pipeline, and there is literally no agreed-upon security approach.

Fresh in people's minds is the huge denial-of-service attack on security researcher Brian Krebs that knocked over his website even though he had Akamai protection. The culprit? A botnet made up of poorly patched webcams. It doesn't take a genius to realize this is the beginning of a much bigger problem.

"The issue is urgent and it is complex," noted NTIA deputy assistant secretary Angela Simpson, in opening remarks. Everyone else who gave a formal talk agreed. The Internet Society's CTO Olaf Kolkman noted: "IoT security is a topic of some urgency. But it is also incredibly hard. It's not clear who needs to do what." Intel's VP and general manager for IoT security solutions, Lorie Wigle, says it again: "There is a really, really big problem."

Follow me. No, me, not him

But just as big as the IoT security issue itself, is how to get people to agree on a solution. No one, from the chip manufacturers to the network operators to the device manufacturers, wants to be the one that will introduce new systems and approaches. As much as NTIA staff gently but repeatedly prodded the room to look at real solutions, the conversation quickly drifted back to identifying the problem and offering vague concepts of what needed to happen.

It wouldn't be the internet of things without conflicting solutions to even the most intangible elements. In this case, it was a multitude of different frameworks for looking at the issue of IoT security.

The Online Trust Alliance outlined its principles (31, boiled down from 75) for how to start looking at the problem. A huge group people had taken 18 months coming up with it, and everyone loves it, said its chair Jeff Wilbur.

But hold on, the Internet Architecture Board (IAB) has also come up with a wonderful way of looking at this. Kolkman outlines the IAB pedigree and flags up its June meeting and their resulting guidelines.

Wait a second, says the Industrial Internet Consortium (IIC): what about our delightful security framework document? That's all good, but we have a nice simple five-star framework, says another consortium.

The NTIA knew what was coming with this topic. Right at very start, Angela Simpson warned that the "multistakeholder model" that it has been pioneering for a number of years and where everyone gets a say "can be difficult; it can be a little chaotic. It will likely require you to venture outside your comfort zone," she warned. But a collaborative spirit and a drive toward consensus will give the best result, she argued.

Agreement, in part

Despite the lack of any real progress in the morning session of the event, that collaborative approach does seem to be holding.

There is broad agreement that a key aspect to finding a solution would be working out how to convey any efforts to the consumer. Why? Because additional security costs money, and without some kind of market differentiation, people are just going to buy the cheapest product.

There is real agreement that there needs to be some kind of ability to flag up whether an IoT device needs patching – which can be hard when many devices don't have a display.

There is also widespread agreement that there needs to be a way to deal with the billions of out-of-date devices that will soon cover the planet, whether they are no longer maintained by the manufacturer or if the manufacturer has gone out of business.

But no one wants to agree to put themselves on the line for that sort of broad-ranging and complex update requirement. It's going to be a messy and lengthy affair getting the industry to come together to agree to take on additional responsibilities.

But there is one significant motivator: the US government itself. And not the Department of Commerce, but Congress. Bill Woods from the Atlantic Council noted that there are currently two billion IoT devices out there that have the 12-year-old SSH flaw that enables them to be turned into a botnet.

"There are very few things that scare public policymakers," he noted, but the idea of the huge expanding and emerging IoT market turning into an online death-ray is one of them.

"There is already botnet legislation in the Senate," Woods warned. "If we don't find a way to fix this, they will find a way and we almost certainly won't like it." ®