The internet of things (IoT) refers to items (big or small) we use in our everyday lives that have the ability to connect to the internet. The shift we are seeing caused by IoT today is similar to when mobile devices began changing the landscape for IT security professionals several years ago.
The influx of these new IoT devices are as vast as the impact they can potentially have on our daily lives. As more IoT devices are brought to market, the more the stakes grow. A larger attack surface for rogue hackers means that public infrastructures like bridges, power plants, and water facilities are vulnerable. Items in our homes such as appliances are often times delivered with factory-set, hard-coded passwords making them a weak point in a network’s security.
Most of the time these devices are running without any built-in security software or the opportunity to patch. A report recently published by BI Intelligence (Business Insider’s research service) estimates that there will be over 22 billion IoT devices in use by 2021. According to the Business Insiders report, companies will spend almost $5 trillion on IoT products in the next five years, creating a massive increase in analytics and ecosystem. The massive growth and lack of security in this sector have enabled the increase of a multitude of DDoS (Distributed Denial of Service) attacks. Experts and lawmakers alike are taking notice of the anticipated influx of these new devices into the marketplace (and our homes) and the serious security risks they impose.
On August 1, 2017, U.S. Senator’s Mark R. Warner and Cory Gardner, along with Sens. Ron Wyden and Steve Daines introduced bipartisan legislation titled Internet of Things Cybersecurity Improvement Act of 2017. A corresponding fact sheet released by the Senators states, “While IoT devices and the data they transmit present enormous benefits to consumers, the relative insecurity of these devices presents enormous challenges. This legislation is aimed at addressing the market failure by establishing minimum security requirements for federal procurements of connected devices.” While the proposed legislation is still open for debate, we are now seeing individuals who previously turned a blind eye to such cybersecurity issues, working to make significant changes a reality.
The recent WannaCry ransomware attack gave all of us a glimpse into what a significant attack might look like globally. The well-documented attack exploited a flaw in retired Microsoft software, which is not typically maintained and patched for security. The United Kingdom’s National Health Services, FedEx, and Deutsche Bahn were just a few of the organizations hit by the attack. The global impact of the WannaCry attack could have been significantly worse if it weren’t for the coding and implementation mistakes made by its developers.
Some experts believe WannaCry was never meant to be released in its current state, and that it somehow got out of the laboratory prematurely. This thought process leads to fears that the WannaCry attack was a 0.0 version of what is yet still to come. The hope is that government and industry have taken notice and that the Internet of Things Improvement Act points to processes being put in place to decrease the likelihood that the billions of new devices being brought into the marketplace won’t be exploited.
The IoT Cybersecurity Improvement Act of 2017 provides an important step forward as we enjoy the benefits and challenges the world full of IoT brings. By providing clear guidelines for manufacturers, contractors, and vendors, the U.S. government can assist in providing structure in an ever-evolving cybersecurity marketplace.
For more information on how 5thColumn is working to simplify cybersecurity or if you would like to learn more about improving your company’s cybersecurity posture, please get in touch with us.
Written by Brock Willsey, Senior Brand Manager, 5thColumn