SAN FRANCISCO — Governments have an obligation to quickly improve the cyber safety of the millions of industrial and consumer devices being sold and connected to the Internet, a panel of experts agree – they just can’t agree on how.
“This is an urgent problem,” Olaf Kolkman, CTO of the Internet Society, said Wednesday here at the annual RSA Conference. “We’re shipping stuff that will live in our environment for a long time and its hurting the common good. The urgency is really important. At some point somebody will get killed.”
The problem of so-called Internet-of-Things devices came sharply into focus last fall when the Mirai botnet composed largely of millions of insecure digital video surveillance cameras and recording systems were behind a huge distributed denial of service (DDoS) attack.
Because many devices either are older and can’t be patched or have fixed passwords that can’t be changed many in the industry fear the number of such botnets is only going to increase in the short term until they are replaced by more secure devices.
Kolkman comments came as he and fellow panelists security guru and author Bruce Schneier and Craig Spiezle, executive director of the OnlineTrust Association, debated whether the tech industry can solve the problem or is government regulation the answer.
For all his angst, Kolkman was cautious. “If you apply regulations you have to think if it will stifle innovation and the promises IT brings to you … We need industry to take leadership role wherever they can,”he said. But, he added, “if it comes to accountability government has a role.”
He urged a multi-stakeholder approach where governments, technologists and groups representing users work together to find solutions.
“As technologists we have to get a good understanding of society’s needs and apply stewardship. At the same time policy makers need to understand what the side effects are of any proposal.”
Spiezle, whose industry association that promote practices to encourage online trust, said IoT makers have given his group a number of reasons for not acting, including encrypting data is expensive and security will slow products getting to market or impair battery life.
He argued governments work too slowly. “If you think government is going to solve that problem … it won’t – there are millions of orphaned devices out there.”
On the other hand, referring to news reports that a consumer router maker shipped a device with a default password and didn’t fixing a known software vulnerability for almost a year as “clear missteps and (the manufacturer) should be held accountable.”
And while he said consumers have responsibilities — a router maker shouldn’t have to replace a 10 year old vulnerable device for free, he said — retailers shouldn’t be selling insecure products.
But that depends on product labelling, Schneier replied – which would be mandated by government.
“If you don’t have some sort of government entity setting the playing field companies will act in their own self interest, which will not be adequate security.”
But even he admitted the fast pace of change in the tech industry means regulations have to be crafted carefully. There won’t be one answer, he said.
For example, he wondered why consumer Internet providers feel they don’t have the same cyber security responsibilities to protect their users as corporate IT does. In fact he thinks it would be a good idea ISPs would have to face security regulation.
Governments have many tools, he pointed out, ranging from promoting research to fines. “Now we have to figure out what we need to do with with each little piece to get maximum benefit with little cost.”