The Internet of Things and Security -- Process Not Standards

Paul Rosenzweig
Monday, February 9, 2015, 10:25 AM
Earlier this year, Herb posted a nice summary of the FTC's report on the security of the internet of things.  Today, Senator Ed Markey joins the conversation with a staff report on the insecurity of automobiles.  As the Post summarizes it, the Markey report says that: "Automakers are cramming cars with wireless technology, but they have faile

Published by The Lawfare Institute
in Cooperation With
Brookings

Earlier this year, Herb posted a nice summary of the FTC's report on the security of the internet of things.  Today, Senator Ed Markey joins the conversation with a staff report on the insecurity of automobiles.  As the Post summarizes it, the Markey report says that: "Automakers are cramming cars with wireless technology, but they have failed to adequately protect those features against the real possibility that hackers could take control of vehicles or steal personal data."  That is, in my view, absolutely accurate as a description of where we are today.  With a few exceptions (Tesla is one) security for cars (and other items being sold with internet connectivity) is woefully inadequate. So, the question is "what's to be done" about it?  The FTC report suggests we follow "best practices" which Herb summarized as "building security into devices at the outset, rather than as an afterthought; training all employees about good security, and ensuring that security issues are addressed at the appropriate level of responsibility within the organization; using service providers that are capable of maintaining reasonable security and provide reasonable oversight for these service providers; implementing a defense-in-depth approach to security; limiting the ability of unauthorized persons to access a consumer’s device, data, or even the consumer’s network; and monitor products throughout their life cycle and, to the extent feasible, patching known vulnerabilities."  Senator Markey, apparently would go further.  His report: "calls for the National Highway Traffic Safety Administration to set new regulatory standards with input from the Federal Trade Commission. The standards should ensure that car's wireless and data-collection features protect against hacking and security breaches, require that carmakers test their systems with penetration testing, require drivers be explicitly told about how data is collected and used, and give drivers a way to opt out of such features."   I have no view on the privacy side of this proposal, but the cybersecurity aspects of it are, I think, misguided. I can imagine few regulatory impulses that would be more stultifying to innovation than ones intended to insure that a car is "protected against hacking."  That's the old Maginot Line mind-set of cybersecurity and it is impossible to achieve.  More to the point, as the dissenters to the FTC report noted, the Commission had done no cost/benefit analysis of its "best practices."  I am perfectly prepared to believe that the benefits exceed the costs for some of these mechanisms.  I am also, however, skeptical that all of them  beneficial -- and some of them would be affirmatively counter-productive. We should be very skeptical that hard security standards of the sort that NHTSA and the FTC might adopt would make much of a difference.  It is a common place in the cyber realm that our answers (like information sharing legislation) address threats that are already mostly in our rear-view mirror.  Standards -- especially mandatory ones like those the Markey report contemplates, become mandates that  create a FISMA-like culture of compliance rather than real security. There is a better way.   It doesn't involve security standards, but rather it involves security processes.  Can you, for example, document the development of the code you write?  Do you have a mechanism for both encouraging outsiders to report flaws in the code AND for quickly patching/updating the flaws that are found?  Do you have "evidence capture" systems that function like a "black box" to collect security breaches and code failures?  Do you design your car to segment and isolate critical systems (like the brakes) from non-critical systems, like the Bluetooth connection to the i-Pod? IF (and I'm skeptical) that's the direction that FTC and NHTSA standard setting goes in ... then maybe we are on the right track.  But that doesn't sound like what we are talking about just yet.

Paul Rosenzweig is the founder of Red Branch Consulting PLLC, a homeland security consulting company and a Senior Advisor to The Chertoff Group. Mr. Rosenzweig formerly served as Deputy Assistant Secretary for Policy in the Department of Homeland Security. He is a Professorial Lecturer in Law at George Washington University, a Senior Fellow in the Tech, Law & Security program at American University, and a Board Member of the Journal of National Security Law and Policy.

Subscribe to Lawfare