Further on the IoT (Internet of Things) theme I first wrote about back in June – ‘Internet of Things’ (IoT), Convenience or Calamity?’
Welcomed news until you move past the headline. The guidance that unfolds recommends that responsibility for security should rest with the owners/acquirers of the respective IoT device(s) and such devices should NOT be connected directly to a public network such as the Internet but maintained on their own secure network(s).
What is the IoT without Internet connectivity? After all its in the name ‘I’ = Internet.
The truth be faced the guidance is not as daft as it may sound on first reading. We do not expect 3rd party lock manufacturers to secure our front doors for us, we may get a professional to fit the locks, but we take responsibility for securing the keys. The parallel can be drawn across other areas of life.
This is a wake up call for end user maturity and responsibility in the use and deployment of technologies and I fear will only be answered in the courts ultimately. The insurance industry will also have a part to play as claims arise due to perpetrators hacking of end users IoT devices and the finger pointing at vendors starts.
In principle if a vendor provides an IoT device that has robust and configurable security functionality, clearly documented, there is no reason for that vendor to be responsible for the end users deployment of said IoT device. This is presuming said vendor exercises the highest levels of security management in its software and hardware development lifecycle. Which raises the ugly spectra of the commercial time to market trade off that governs vendors. And there you have the crux of the issue, commercialism not security and the testing ground businesses and consumers who pay for the luxury. With every 1,000 lines of software code containing numerous bugs the attack surface is growing exponentially; quoting from the book ‘Code Complete: A Practical Handbook of Software Construction, Second Edition 2nd Edition’. See my earlier article last month on this theme ‘IT Security needed today – Data governance, fact based risk management and Adaptive Security Architectures’.
The upside is this heralds a whole new market of professional services and Software as a Service (SaaS) that can cater for the configuration, securing and the patch maintenance of these devices. Looping back on the accountability for losses due to IoT hacking, if an owner of a devices choses not to take advantage of a professional service to deploy and secure their IoT then they should be responsible for any subsequent loss or harm that may result from its compromise by a third party. Just as I would get a qualified lawyer to draft my contracts or plumber to fit my boiler, if they are not done right I have recourse.
Welcome the latest addition to the consumers IT risk mitigation list that is unlikely to be covered by your household insurance!