iconimage - Fotolia

Infosec17: IoT security regulation coming, warns Bruce Schneier

A security expert urges the security industry to engage with government to ensure that regulation of IoT security is smart regulation

Regulation of security around the internet of things (IoT) is becoming more critical as the things being connected become more critical, according to security techologist Bruce Schneier.

“Regulation is coming and is coming in a big way,” he told Infosecurity Europe 2017 in London, urging the security industry to embrace the fact and get involved.

Schneier said while there is always concern that regulation will stifle innovation, this has not been historically true. In reality, industry always ends up adapting, he said.

“We will adapt too. We are going to have to because governments will get involved regardless because the risks are too great and the stakes are too high.

“The real physical threat from the internet of things will force governments to act because we are talking about fear, and nothing incents a government to do something like fear,” he said.

The real problem, however, said Schneier is that nothing incents a government to do something “stupid” like fear, which is why the information security industry has to get involved.

“The choice is not between regulation and no regulation. The choice is between smart regulation and stupid regulation, and if we don’t want regulation to be imposed on us from the outside with little thought and little time, we need to start thinking about this and getting ahead of this because it is coming,” he said.

“It will take just one disaster before your government, my government or both will do something, and they will do the thing they can grab the quickest, so we have to ensure that it is something that is also smart.”

In the past, Schneier said security has largely been left up to the market, which although “not great” has worked “mostly OK” but these imperfect solutions have been OK because the effects of failure have been fairly limited.

“But that is changing, and this is going to force us to change,” he said, adding that the economics of the internet of things are different.

Read more about IoT security

  • Growth of the internet of things will be slowed or stunted if the industry fails to be proactive about data security, according to IoT Security Foundation.
  • The influx of internet of things devices will inevitably bring security headaches. Don’t miss out on the opportunities of IoT, but learn how to avoid IoT security issues.
  • The Five key information security risks associated with the internet of things that businesses can and should address.

Unlike the computing devices such as smartphones, Schneier said with IoT devices there is no team of engineers at work to design security into these systems and create patches when vulnerabilities appear because IoT devices are typically produced at a much lower cost with a small profit margin.

“These devices have no security teams attached to them and, even worse, have no mechanism for being patched,” he said, which is compounded by the fact that unlike smartphones, IoT systems are being embedded in things such as thermostats, washing machines and cars that have a much longer working life.

The problem, said Schneier, is that no-one knows how to update computer systems that are 40 to 50 years old, which could be the lifetime of a car, because it has never been done before.

Another problem is the market will not fix this because neither the buyer nor the seller cares. In the Mirai botnet attacks, for example, the owners of the hijacked devices were unaffected.

“We are going to get government intervention here because the market will not fix this problem by itself, which is normal because the market rarely fixes safety and security problems without government intervention,” said Schneier.

He sees regulation as being inevitable because companies do not do this by themselves and need governments to force them to act. ... .... ... ... .... .... ....

Read more on Hackers and cybercrime prevention