The so-called Internet of Things sparks two emotions among security professionals: A certainty that government regulation will be needed to prevent needless deaths, and an equal determination to keep legislators away from the industry.
That’s how some of the debate shaped up this week at the annual SecTor conference in Toronto, where a panel on predictions for the coming year found lively debate.
At one end was Ottawa consultant Brian O’Higgins, who is very concerned about the number of wireless sensors being embedded in almost everything.
The car industry is working on creating a standard for self-driving cars with anti-collision sensors that wirelessly talk to each other by 2020, he said. O’Higgins works for some vendors here trying to get certifications. But, he said, General Motors isn’t waiting — it wants to have the technology in a Cadillac by 2017, before a safety standard is set.
“I work with startup that embeds sensors in concrete for measuring how structures cure,” he added. The sensors will be there for years. “The opportunity for abuse is huge.”
With the Internet of Things/machine-to-machine communications “the attack surface area is growing exponentially.” He admits that an adversary could gain control of a system “and create havoc.”
The computer industry is only about 60 years old, he said, but he predicts it will be regulated like the car industry and health care is for safety. The advantage, he added, is buyers will get software quality assurance.
He didn’t have much support. David Senf, vice-president of IDC Canada’s infrastructure solutions Group, said some IT regulation — like mandatory data breach notification — is necessary. But regulation done wrong could slow down the industry, and possibly cut into startup financing. “It has to be done properly,” he said. “Standardization but not regulation.”
Gord Taylor, a Toronto-based independent security consultant argued that regulation would be self-defeating. The Internet has been built on 20 year-old code, he said, whose vulnerabilities are only now being discovered.
Industry elf regulation will be far more successful than imposed regulation because if vendors have a vested interest in making sure a product is secure they’ll do it better. “It won’t be checkbox security,” he said, meaning “the government says I have to do this. Check.”
“No industy is standing up and saying please regulate me more,” O’Higgins acknowledged, “but it will happen. There will be more and more regulation”