Does the Internet of Things need an indie security assessor?
Some in the IEEE reckon it'd be a good idea, before your toaster burns more than bread
The Internet toaster that's browning your crumpets, talking to its home servers, and participating in a ransomware-distributing botnet should get the kind of cyber-safety testing that it gets for physical safety.
That is, at least, a growing view among Institute of Electrical and Electronic Engineers (IEEE) members, if an IEEE Spectrum piece by Tekla Perry is anything to go by.
Perry, a long-time senior editor at the IEEE, writes here that the idea of some kind of “CyberUL” (referring to Underwriters' Laboratories, home of one of the world's coolest jobs – destroying things in the name of safety), because as things now stand, pretty much any old rubbish is getting pushed out the door by unicorns and old nags, just so long as it ticks the “smart device”, “Internet of Things” and “big data” boxes.
Alas, the meeting that Perry reports was held under Chatham House Rules, so the participants' names aren't reported, but the thrust of her discussion considered:
- At some point, it's inevitable that consumer liability issues are going to arise out of connected devices;
- Companies could be encouraged to mitigate their liability by submitting products to a laboratory and carrying its certification – the CyberUL;
- The twin pressures of retaining certification and competition would help make products more secure; and
- Such a body would encourage companies to share security information.
Such an idea is a long way away – right now, the idea is just that, an idea, a modest proposal without any formal backing.
However, there are a couple of other points that Perry makes that are worth relating.
The first is that if it worked, the existence of a certifying body like CyberUL would probably encourage vendors to offer longer “security windows” for consumer products. That would at least help solve the huge disconnect between the life cycle of a computer (often assumed to be a few years) and a refrigerator (which might last 20 years).
The other is that the group at the IEEE meeting Perry discusses believes there's a case for post-disaster government research. In the same way as governments investigate air-traffic incidents, a mooted “Cyber Safety Board” could provide resources to investigate Internet of Things failures, if they result in loss of life (a device causing a home fire, for example).
Perry says there's an emerging consensus: “To secure the IoT, use carrots—reduced liability, special frequencies—more than sticks, drive companies to upgrade security, and require them to make it clear to consumers just how secure their products really are”, she writes. ®