The Electronic Privacy Information Center (EPIC) asked Congress to use the reauthorization of the National Telecommunications & Information Administration (NTIA) to finally protect Americans during the rise of the Internet of Things (IoT) in seemingly every aspect of modern life.
"The implications of Internet of Things for consumer privacy and security are far-reaching," the privacy group said in a letter to the head of US House Subcommittee on Communications and Technology. "If the NTIA fails to develop appropriate safeguards, the country will face growing risk."
EPIC isn't alone in thinking IoT devices are a threat. Everyone from Google, which announced in December 2016 a new platform meant to help IoT companies secure their products, to Virginia Senator Mark Warner has called for safer connected devices. These products are threatening on both the individual and national levels. Allowing manufacturers to continue to release them without basic protections is like asking for something bad to happen.
Indeed, some of those bad things have already happened. Popular services like Twitter and Spotify were unreachable for several hours in October 2016 because of an attack on critical infrastructure by malware-affected IoT devices. In December, the Institute for Critical Infrastructure Technology said nations could exploit vulnerabilities in IoT devices for their own purposes, which could lead to a dangerous back-and-forth between various countries.
EPIC asked NTIA to address these problems with consumer protections that:
Promote Privacy Enhancing Techniques (PETs) that minimize or eliminate the collection of personal information.Ensure routine security updates for IoT devices; andCarefully assesses IoT deployment for critical functions, including transportation, home security, and medical devices.The NTIA’s multi-stakeholder processes are simply not working – they result in weak, voluntary self-regulatory regimes. Industry self-regulatory programs do not provide meaningful privacy protections. The NTIA should support a strong legal framework that protects American Internet users and promotes public safety.
http://nymag.com/selectall/2017/01/the-internet-of-things-dangerous-future-bruce-schneier.html
But under a president whose command of facts is illusory, denies climate change and does not believe the Russians had any impact with their hacking, the probability of positive progress is poor. More likely we get stoopid intervention at the next crisis.
IoT is too big for industry to secure. As with every major technology impacting the public, Trains, Planes, Autos, Ships, Nukes, Finance..., a Government Agency using a consortium of the best and brightest to establish and review cyber-rules, regulations and enforcement protocols is needed. Ultimately an International body is needed.
IoT and the "network Everything" mentality that goes with it need to be altered in favor of a connectivity security hierarchy with access rules depending on device function. For example - in a hospital, patient infusion pumps, cardio stimulators, MRI's etc should be on closed local networks without internet access. These devices should report data and have local management that allows observation only from the outside - nothing should allow external input to alter functions. Today that is not the case. We need security to be constantly tested and challenged, and that again is not the case. Thus we have bad security and penalize those responsible for finding gaps instead of rewarding them. This all goes back to the days of manufacturing "ABC's", promulgated by Demming, but applied by the Japanese. They were so methodical that defects became so rare that when one surfaced it was cherished for what it told managers about process change priorities. If a positive path is not chosen, the World Wide Robot we are currently constructing will be realized and the potential for un-intended consequences such as hostile emergent properties, could be dire. And I am an optimist.