Security of Things: Who will save us from the risks of the connected world?
As a child in the 80s, Nicholas Percoco, head of strategic services from Rapid 7, visited EPCOT – Disney’s Futureworld attraction. It presented an extremely optimistic vision of the future where no risks were considered and there were no software malfunctions. He used this theme to explore the issue of internet security, with a sometimes lighthearted look at the next 50 years followed by a simple, practical guide to what we can all do today.
Before the internet of things (IoT), there were just ‘things’ – with limited risks. Percoco highlighted the bedwetter alarm of the 60s (electrocution), the microwave (user error, radiation – always rumoured ) and then more recently the Roomba-like robot vacuum in South Korea which sucked up a woman’s hair as she slept.
Re-imagining EPCOT today, Percoco explored the risks in the next 50 years of both the possible and the more far-fetched ideas of how we will live our lives. Elastic transport systems which connect driverless cars with services such as Uber and Siri (think the cab scene in Total Recall) will be vulnerable to software instability, logic flaws and malicious compromise. Autonomous Physician Assistants (essentially robots diagnosing our ailments through scans ) could be subject to privacy issues, logic flaws and the possibility of malicious diagnosis designed to cause harm.
If we get to the era of Digital Telepathy, where we no longer use any devices and our thoughts send messages or create augmented reality experiences, then we could be victims of privacy invasion, malicious control and ransomware. By the time we get to Sleep Working and Mind Farms we may be at the outer limits of the imagination but the risks are evident. The more personal the tech, the more serious the consequences of any failure.
Returning to today, the key challenges are twofold: impact on human life and public safety. Phones and wearables are becoming integral to our lives and there are already security challenges. Who will protect us? Three different groups can help.
First, there are those within the industry who care – specifically the hacking community. By researching devices and exposing flaws they can provide support to us all. Major companies, including Microsoft, have run Bugbounty programmes through their Security Services Centre which incentivize finding and reporting of flaws.
There are also crowdsourcing businesses such as Bugcrowd and Hacker1 in this space. This feedback is not always welcomed by the manufacturers for reputational reasons. Other examples include Iamthecavalry.org who have released a five-star cybersafety framework for the automotive industry and Builditsecurely.org are working with IoT developers to make sure their tools are secure.
The second area is government legislation and regulation. A recent government report looked into the risks of malicious hacking into connected cars, suggesting forthcoming legislation. If software fails, the issue is liability and there are already precedents set in a court case involving a malfunctioning Toyota Prius in 2013 where the code was identified as flawed. The concern with any government-imposed standards of compliance is the likelihood they will be lowest common denominator rather than offering effective protection.
Finally we need to look to ourselves – the Informed Consumer approach. Teach others to download software upgrades (the large majority of people not at SXSW don’t bother or don’t know how to). Hack your own devices to understand if there are flaws and report your findings. Take your kids to a Hacker Convention such as those run by Hackid so they learn about cybersafety, in the same way you teach them about road safety. And vote with your money and only invest in businesses that prioritise cybersafety and security. Tesla have a publicly available vulnerability disclosure policy on their website.
Our dependance on computer technology is increasing much faster than our ability to safeguard ourselves. As computerization and connectivity become ever-more ubiquitous, it's critical that we protect public safety and human life. It’s our collective responsibility and we can all contribute for the greater good.
Neil Dawson is chief strategy officer, SapientNitro.