Securing the IoT: A Race Against Time

 A huge cybersecurity opportunity presents itself while glaring vulnerabilities in IoT devices sit like a ticking time bomb just waiting to be exploited

The year was 1988.

Robert Morris would immortalize himself in the annals of internet history by distributing the first computer worm. The “Morris Worm,” written allegedly to shine a spotlight on security flaws, did much more than that. It practically took down the internet.

That incident, however, did bring internet security into the mainstream and jumpstarted an opportunity that would ultimately became a multi-billion dollar cybersecurity industry.

Fast-forward 30 years into the age of the internet of things (IoT) and everything old is new again.

Billions of vulnerable IoT devices are now in use. On a daily basis, there are more IoT gadgets being connected than there were internet-connected computers just 20 years ago. The majority of these devices are being made with little or no consideration for security. The focus is on keeping hardware prices down, not on the safety of the software.

This lack of security has not gone unnoticed by hackers, who began to exploit these devices early on and use them as a portal for nefarious means. The scopes of these attacks began to increase, but it wasn’t until the Mirai Botnet and its takedown of Twitter, Netflix, Spotify and other major websites that the magnitude of the situation began to reverberate. Once again, a single exploit nearly took down the internet.

Which leads us now to the next big opportunity in cybersecurity: Securing the IoT.

I was recently asked what it would take for IoT security to be taken seriously. My initial reply was, “What will it take before internet security is taken seriously?” I mean, here we are 30 years later and attacks are still happening daily. I just don’t know that there is a simple answer to that question. You would think that the Equifax breach would have been a game changer, but it wasn’t. Maybe we need another Equifax-sized breach… maybe we need 10!

But it’s not all doom and gloom. Securing the IoT is not impossible, but it does need to be a priority and it will take a coalition of great minds to make it happen.

Certainly, manufacturers are a key part of this process. Until manufacturers quit putting profits ahead of protection and are held responsible for their devices and lack of security, shoddy products will still continue to flood the marketplace.

Getting manufacturers on board, however, is easier said than done. With no clear-cut regulations in place, security continues to be at the discretion of the manufacturer. But perhaps not for long: California’s SB-327 is the first IoT cybersecurity law that requires manufacturers to provide “reasonable” security features in their devices and outlaws default credentials. It’s a good first step, but it is limited to California manufacturers only and critics say the law doesn’t go nearly far enough to protect consumers.

Speaking of consumers, they play a role in this as well. Unsuspecting buyers pay little to no attention to security and blindly trust companies to keep them safe. Disregarding safety for a lower price point not only puts customers at risk, but also enables manufacturers to continue taking those security shortcuts.

So with trickling regulations, little incentive for manufacturers and an apparent lack of concern from consumers, IoT devices are likely to remain vulnerable ticking time bombs.

And that presents the opportunity.

It’s time for the next generation of cybersecurity companies to emerge that are focused on securing the internet of things. The exploding growth of IoT suggests that those companies that pioneer a safer way forward will join the ranks of the McAfees, Fireyes and Symantecs of the world. The opportunity is there … but who will grab the brass ring?

The path to secure the IoT will, however, be far more difficult than securing the internet. We’re not just dealing with three operating systems, but rather thousands of derivatives. It likely will take a concerted effort from true cybersecurity innovators to crowdsource IoT security solutions. Open-source models like Tenable were successful in solving vulnerabilities that sat on networks. We can do the same for IoT. It’s not helpful to simply hack a product and get your 15 minutes of fame. We should be focusing on solutions. We’ve got a clean slate to innovate our way out of this problem. Together.

It’s a race against time to secure the IoT before the next Morris Worm or Mirai Botnet is released.

The clock is ticking …

Chris Rouland

Avatar photo

Chris Rouland

Chris Rouland is co-founder and chief executive officer of Phosphorus Cybersecurity, Inc. A 25-year veteran of the information security industry, Chris is a renowned leader in cybersecurity innovation and disruption. In his career, Chris has founded and led several multi-million dollar companies including Bastille and Endgame. Chris holds more than a dozen patents and has been featured as a security expert for national broadcast and print media outlets.

chris-rouland has 1 posts and counting.See all posts by chris-rouland