The WannaCry attack over the weekend ginned up a lot of discussion about software business models and who’s ultimately responsible for securing outdated software. However, we would all be wise to consider that everything we’re deploying today runs the risk of being outdated down the road, as well. Today’s unpatched Windows XP desktops are tomorrow’s unpatched smart devices and sensors.
Here are three good takes on this problem—only one related to WannaCry, but all making the same general point about securing connected hardware:
WannaCry about business models (Stratechery): Ben Thompson makes a convincing argument for SaaS (as if it still needed one), but read the last paragraph, which begins ominously like this: “The big remaining challenge will be hardware: the business model for software-enabled devices will likely continue to be upfront payment, which means no incentives for security.”
Father of the internet: ‘AI stands for artificial idiot’ (Nextgov): Vint Cerf, speaking to a D.C. audience at an IoT conference: “Some devices last for decades, who is going to maintain that software 30 or 40 years? If the company that built it goes out of business, who has access to the source code?”
Why hardware engineers have to think like cybercriminals, and why engineers are easy to fool (IEE Spectrum): Security expert Scott Borg, speaking at a conference on sensors: ““Yesterday, I saw tanks full of dangerous chemicals, controlled by computers moving things in and out. I immediately thought about which would be the prevailing direction of wind and how you could rupture the tanks with cyberattack. Whenever I look at an appliance, I think what could be done to it that causes maximum damage and embarrassment.”
The cloud will clearly play a big role in helping secure IoT devices while the companies selling them still care to do so. Already, you see Microsoft and Amazon Web Services bridging the gaps between local compute and cloud backends, with Microsoft in particular talking a lot about managing IoT devices at scale
—including work to secure communications between hardware and cloud servers
. For certain device types, it wouldn’t be too crazy an idea to drive down the upfront costs of devices via a SaaS-like model, thus ensuring patches and other updates happen automatically and without disruption.
This doesn’t answer the question about who’s actually going to manage all these devices decades (or, in the case of startups, 5 years) down the road, but it actually could provide a good starting point. With the right cloud-based business models—probably combined with some amount of smart regulations, smart contracts and open source code—we can hopefully can get a handle on IoT security before the space really explodes and it’s far too late.