Do we learn from our mistakes? I’d like to think so, but the ever increasing reports on IoT devices with major cyber security shortfalls is making me wonder.
The current cyber security risks can, if we want to be brutal about it, be put down to technology developers of all colours focusing on the features and functionality over security. I understand why, security is ‘boring’, and sexy new features are ‘exciting’.
The BBC ran a piece this week titled ‘Smart Devices, Dumb Security’, which is the continuation of the theme whereby an IoT ‘smart’ device, such as a remote pet food dispenser, can be compromised with ease by a cyber criminal who will use it as a stepping stone into a home network where they potentially find data of value, or compromise other devices. What is the solution? At present I can’t seem to see one, other than user education. Legislation certainly isn’t going to do anything about it any time soon, so it does look like we are going to continue to be wowed by features and sold short on security.
Bloomberg discussed on their TV Show, Bloomberg West, how IoT devices, including connected cars, are now outstripping more established devices such as computers and phones, in being connected to the web. With security holes in all of them, that’s more and more places for criminals to commence their activities.
But, perhaps I’m being too pessimistic here. At the same time that these new devices are starting to flood the market, with their security shortfalls, teams of cyber security researchers (and ‘white hat’ hackers) are looking at increasingly creative ways to thwart the criminals and their activities. One of the headlines that came out of the recent Cyber Grand Challenge, promoted by the US Defense Advanced Research Projects Agency (DARPA), is that machines could fix themselves using intelligent bots.
How would this look like in the real world? well DARPA Program Manager Mike Walker is quoted as saying that “Imagine getting a text message from the system that protects your business, letting you know it just learned about a new flaw in your document reader and synthesized a new patch all on its own”. This new way of thinking seems to me to be a potential light at the end of this cyber tunnel.
The law, irrespective of country, is always an uncomfortable bedfellow for technology. As we all know, technology moves fast and the law is not known for being quite as brisk in its development. However sometimes it would be nice if the law could lead. TechCrunch recently posted a story that discussed how the Privacy rights organisation Privacy International has issued a legal challenge to the UK government over its bulk hacking activities against foreigners.
This has been lodged with the European Court of Human Rights, to determine if this activity by the UK government does indeed violate an individual’s human rights. There is no doubt about it that privacy is a fundamental human right, recognised in the UN Declaration of Human Rights, but does this translate to online activity? Article 8 of the Human Rights Act states that, “Everyone has the right to respect for his private and family life, his home and his correspondence”, however this can be limited by law when it is necessary to do so in a democratic society for reasons such as national security, public safety, the prevention of crime or protection of the rights and freedoms of others. Any limitation on this right must be proportionate. So is the UKs activities proportionate? Sadly, I can’t answer that.
This discussion will go on and on, but at some point it will be resolved. However, between now and in the absence of these self-securing bots, we are living in a world where both criminals and security agencies may have an interest in our every increasing online activities. Saying that though, I’m not sure who would really be interested in the timetable you set on out IoT device to feed your pet!
For links to all these stories and more, or to contribute with some comments join us by searching for the National Cyber Skills Centre on our social channels of FaceBook, LinkedIn and Twitter, or just click the relevant links from our website.