IOT security: history repeating

Allen Storey, Product Director at Intercede, in a recent post on Gigaom asks: "How can we trust the Internet of Things"? I have the answer! We can't.

The IOT, Mr Storey correctly asserts, is being built without adequate security. He discusses the risks that result from this state of affairs, citing threats like home and vehicle alarm systems being hacked into and disabled.

All absolutely true. But what's interesting to me is, this wholesale glossing over of security risks is shaping up as a repeat performance of what happened decades back with the Internet. Not "of Things" ... I mean THE Internet ... the original one that started out as ARPANET in the late 1960s and early 1970s. The original Internet had no serious security controls designed into it at all. And why would it? It was a tool for the use of genteel academicians, not as a platform for moving money which would invariably attract malicious actors. At the time the Internet first emerged, most of the hackers we see happily breaking into bank accounts today wouldn't even be a gleam in their father's eyes for another couple of decades.

In 1995, the industry dialog on Internet security went something like this (I was there):

  • Industry: "Awesome, dude. The Internet's open for business!"
  • Voice of Reason: "Whoa, not so fast. When you're transacting business with people over an open network, you have no way of knowing who you're dealing with and you open yourself up to all kinds of malware and fraud threats. We need standards for authentication and encryption to make it safe."
  • Industry: "Yeah but we have SSL and that PKI stuff. Doesn't PKI have SSL? That's all we need". Says it right here on the box. Standards take too long, and we want to monetize today.
  • Voice of reason: Wait ... wait!

(Fast forward to 2014. Data breaches. Zeus Trojans. Cyberextortion. APTs. Cyberwarfare).

Today, as the IOT starts to emerge as something real, the mentality around security, or maybe I should say the lack of mentality around security, is very similar to 1995. Most actors are focusing on the sexy part: productizing the IOT. The nerdy and inconvenient truth of security risks is downplayed, except by the Voice of Reason (guys like Allen Storey), who see the coming train wreck.

I believe the IOT's security landscape will evolve as follows:

(1) In a frenzy of activity, the platform will get built out ... and hundreds, thousands and millions of products and services will be fashioned around the IOT. Security will be ignored or minimized in favor of time-to-market. This is the stage that we're at the beginning of today.

(2) High-value products, services and content will start showing up on the IOT in the areas of commerce and critical infrastructure. Money will be moved. The integrated data and physical assets of hospitals, power plants and logistics supply chains will be on the Internet. Security will receive lip service at this point, but will still won't be top-of-mind.

(3) These high-value assets and data will be as shiny objects, attracting the attention of malicious hackers, who will then set about doing their worst.

(4) After a few high-profile Son-of Target-incidents and maybe a few Son-of Stuxnet and Son-of Snowden incidents featuring colossal hemorrhages of data, money, national security, or face, the affected industries will wise up. Then, and only then, will standards and regulations set in. By which time everyone will be in damage control mode, and they will be paying a ton more to  secure the infrastructure than if they'd done so early on (now), as Mr Storey is proposing.

I'm not saying it should happen this way. Just that it will. Exactly the way it happened with the Internet and ecommerce, only with different details, more advanced technology, and attacks that are conceivably orders of magnitude more sophisticated than what we see today. Put more concisely: "Those who cannot remember the past are condemned to repeat it."

- George Santayana