Governments should step in to help streamline security standards for the internet of things, as escalating global cyber threats combined with the proliferation of connected devices could lead to serious security and safety hazards, one expert warned.
Connected devices often represent cheap, low-hanging fruit for cyber criminals, said Bruce Schneier, a security expert and special adviser to IBM Security, speaking June 7 at Infosecurity Europe in London. As the internet becomes embedded in a myriad of objects in homes, offices and public spaces, greater attention and more public-private coordination is needed to address security vulnerabilities, he said.
"The risks are too great and the stakes too high," to ignore the threat, and government intervention is often needed to prompt the market to fix safety and security problems, Schneier said at the event.
Research firm Gartner estimates that 8.4 billion connected objects will be in use globally in 2017, up 31% from 2016. By 2020, the firm estimates 20.4 billion connected objects will be in use worldwide. Yet there are many different security standards for the internet of things, published by various industry organizations. Most standards are voluntary, serving as a guideline without any real enforcement.
But with new variants of malware emerging on a daily basis, nation states and technology firms are rightfully becoming more concerned about catastrophes such as large-scale cyberattacks that lead to car crashes or power outages, Schneier said. Just last month, for example, the ransomware attack dubbed WannaCry hit the United Kingdom and rapidly spread to more than 150 countries, impacting Britain's National Health Service and many businesses.
There are between 80 million and 90 million cybersecurity events each year, costing the global economy up to $575 billion annually, according to analysts at Bank of America Merrill Lynch. As many as 70% of attacks are going undetected, they estimated.
Yet the risks inherent in the internet of things have been known for some time, and many do not take it seriously enough, Schneier said. He noted for instance that while Microsoft Corp. has ended support for Windows XP, its former operating system, many ATM machines still run on its software. In the automobile industry, most car software is in use for decades as second-hand models are passed on without routine updates, Schneier said.
"Until now, we've largely left computer security to the market. We have been okay with these imperfect solutions because the effects of failure just weren't that great … but that's changing," he argued.
The industry is starting to move toward new international agreements such as the EU's new General Data Protection Regulation, which introduces tougher digital security measures and stronger penalties in Europe, but more regulation is likely coming "in a big way," Schneier said.
"There is a lot of worry that regulation stifles innovation, but if you look at the history that tends not to be the case," he said.