Still reeling from criticism over the WannaCrypt attack, Microsoft has stuck its hat on a stick and raised it out of the trench to see how its proposals for Internet of Things security might be received.
Since IoT security is almost uniformly awful, it's probably a good thing that the creator of Windows XP Embedded wants to try and clean up some of the Internet of S**t before things get even worse.
Redmond's white paper (PDF) – are you sitting down? – reckons the tech sector can't fix things alone, and government should get involved, at the very least helping develop policies and guidelines.
What's government's role in this? The white paper sets out three areas it wants governments to create policies to support:
- Serve as catalysts for the development of good IoT security practices;
- Build cross-disciplinary partnerships that encourage public-private collaboration and inter-agency cooperation; and
- Support initiatives that improve IoT security across borders.
Microsoft adds that governments need to invest in IoT security training, education, and public awareness – a brilliant idea given how loose the governmental purse-strings are these days.
What about the rest of the ecosystem?
Manufacturers are told to design minimal rather than general purpose hardware; tamper-proof that hardware; build in security like encrypted storage and crypto keys; and provide secure upgrade paths.
Developers, integrators, and deployers also get recommendations specific to their roles.
Rather than dismissing the role of open source software, the paper suggests avoiding inactive components or libraries that don't have an active community, because bugs are unlikely to be patched.
There's a welcome recognition that “enhanced guidance” is needed for safety-critical sectors like healthcare, critical infrastructure, transport, utilities and the like – but little detail on what that might entail, alas. ®