How to secure the Internet of Things (IoT) -- that’s the big security question of this and the coming age, isn’t it? Will baked-in security defend billions of “things” from cyber attackers? Will endpoint technology suitably secure network attached devices and gizmos? Is authentication an answer? Or will it be a myriad of approaches and solutions?
Establishing benchmarks for IoT security is a step in the right direction, according to two Congressional legislators who want to create a voluntary security certification program for makers of Internet-facing devices. Senators Edward Markey (D-Mass.) and Congressman Ted Lieu (D-CA) have proposed the Cyber Shield Act, which will rely on a committee of security experts from academia, industry, consumer advocates and the public to define cybersecurity standards for IoT devices such as baby monitors, cameras, cellphones, laptops and tablets.
The idea is to badge IoT manufacturers whose products meet pre-set cybersecurity and data protection benchmarks. A stamp of approval, if you will, that hopefully will engender confidence among consumers that this or that IoT device is relatively secure from hackers, at least for the moment.
In the process, the legislators coined a new term for an insufficiently secured IoT: We may as well call it the Internet of Threats “unless we put in place appropriate cybersecurity safeguards,” said Senator Markey. “By creating a cybersecurity certification program, the Cyber Shield Act will help ensure consumers can reliably identify more secure products and rewards manufacturers that adopt the best cybersecurity practices,” he said.
Congressman Lieu offered similar sentiments: “It is critical that we prioritize developing products with the security of consumers’ information in mind. The government and tech companies share an obligation to develop more transparency around the security of our favorite devices.”
Are the legislators right, will a voluntary certification program help secure the IoT, gain buy-in from device manufacturers and promote consumer confidence? By any measure, that’s a tall order even absent the dominant question: Where's the proof that consumers will choose security-certified IoT gear over devices lacking a tag?
Certainly the technology industry isn’t new to security standards, mostly for product or platform development, or to advisory bodies with heavyweight members or to legislators who want to protect consumers. For example, earlier this year three prominent chip makers and the European Union (EU) Agency for Network and Information Security cooked up a platform on IoT cybersecurity and privacy. And, there are already a number of formal IoT consortiums. Still, nearly every standards instance rides in with good intentions but commonly neglects to adequately gauge the impact of change, which is kind of ironic considering technology’s premise is built on innovation.
Securing the IoT is something quite apart -- it’s staggering numbers belie standards. Its thousands of developers make billions of units for many different purposes and uses. Asking IoT-centric manufacturers to put an identifying marker of security on their projects might be more problematic than trying to hive honey bees: You can do it but you’d better understand the numbers you’re dealing with ahead of time.
Here’s the full text of the Cyber Shield Act.