When a cyber attack hit AP Moller-Maersk last year, the world’s largest container shipping line was forced to shut all its IT systems, stranding a fleet of ships at sea and bringing work at its 76 port terminals around the world to an abrupt halt.
If you wanted a real-world example of what can go wrong in the era of connected systems, this qualifies as Exhibit A.
Companies like Moller-Maersk are now increasingly reliant on digital systems and connected devices that were not designed with security in mind, and haven’t been updated with the latest antivirus technology. That situation is the equivalent of a flashing warning sign given the lingering security vulnerabilities affecting devices being connected as part of the Internet of Things.
“This raises the kind of threat that can put a company out of business,” said Robert Metzger, who advises companies on cyber supply chain security and is the head of the Washington office of the law firm Rogers, Joseph O’Donnell, PC.
Until recently, discussions about enforcing IoT security norms have been the purview of the private sector. That’s starting to change with federal agencies focusing attention on the question. Given the clear privacy and data collection issues surrounding the massive amount of data passing through billions of IoT devices each day, proponents say more active regulatory intervention is in the national interest.
But despite garnering more attention, the reality is that government remains slow to take up the challenge of IoT security.
“For years people wrote about how IoT would bring both wonderful opportunities and new vulnerabilities,” said Metzger, who was speaking on a panel at the RSA Conference in San Francisco this week. “Those expectations have become actuality. The problem is that these guys still don’t understand the technology.”
Metzger and his fellow panelists noted that nation-state and other adversaries now have the technical ability to deploy asymmetric warfare tactics against IoT devices, which are proliferating throughout business and government.
The problem is that in the absence of industry agreement, many IoT devices fail to incorporate even basic security measures and arrive in the market with security flaws vulnerable to malicious hackers.
“All those devices are making their way into enterprise systems and the challenge is how to reconcile risk and opportunity,” said Dan Caprio, the co-founder of The Providence Group and an adviser to enterprises on risk security. “We really are in uncharted territory.”
Caprio faulted both the legislative and executive branches for pushing IoT to the backburner instead of making the necessary hard choices to design stronger security. “We’ve not addressed some of the hard problems,” he said. “We need out of Congress, the Executive branch as well as the state government level, the political will to think much more strictly about how we should regulate these systems and networks.”
Considerable efforts have been invested in building standards alliances to end the industry fragmentation over IoT standards as a prelude to building more security into the devices. But while many of these initiatives complement one another, many others overlap and directly compete.
In theory, regulators can fill that void by using the law to require the various stakeholders to get in line. In practice, it’s not so easy.
“IoT is here and the law is not,” said Harvey Rishikof, a director at the American Bar Association, who did previous stints working as an official in the Defense Department and the FBI. “So, we’re in an extraordinary role of playing catch-up. But security is not keeping pace with IoT.”