As I left the RSA Conference in San Francisco this year, I was intrigued, yet perplexed, by the presentations, conversations and demonstrations regarding the Internet of Things (IoT). No doubt, the messages were clear and well delivered by global cyberexperts. IoT stole the show. The breadth and depth of the conversations was staggering — but mostly dark.
Note: You can gain a better understanding of the many IoT sessions at RSA 2017 in San Francisco by watching my recent BrightTalk presentation — Securing IoT: What Did We Learn at RSA? The webinar requires free registration.
What bothered me? The conflicting world views on IoT between security pros versus the majority of global businesses and governments portends years of future conflict in a classic "us versus them" battle to the death scenario.
What are these differences? How can I best explain the problems? Below are two draft speeches, offering different takes on the topic of IoT. Question to ponder: Which one would you choose to deliver? At the end, I’ll offer a possible third way and some final thoughts.
The IoT State of the Union: DRAFT #1
My fellow Americans, the future of our nation is bright because of the incredible technology innovation that we are creating together. The United States leads the world in developing new connected solutions that are touching families and transforming careers in every area of life.
Experts are calling our new inter-connected world the "Internet of Things," or IoT, which enables virtually any device to become smarter, more powerful and more efficient.
Technology holds the promise to cure cancer, end congestion on our roads, travel to distant planets, better educate our youth, stop harmful climate change, improve the quality of life, revolutionize communication and end world hunger as we know it.
Through advances in artificial intelligence, next-generation robotics, connected medicine, driverless cars and much more, we can solve virtually all of the earth’s problems. Society will be transformed for the better as our cities, smart homes and smart grids outperform traditional methods to utilize our precious natural resources. I encourage everyone to learn more about the many smart city resources and how you can benefit from them.
A see a brighter future with, and because of, the Internet of Things. This future with IoT offers hope, prosperity and opportunity for all. While there may be a few obstacles that we must overcome along the way, such as the need to better secure devices and ensure personal privacy, I am confident that everyone will benefit from more instantaneous access to helpful data. Smarter devices offer a better way to live and achieve our goals.
Be smart! Come join me in the IoT revolution.
Let’s create a better, connected, smarter future!
The IoT State of the Union: DRAFT #2
My fellow Americans, it is with a heavy heart that I come before you today. Storm clouds are growing, and indeed, our enemies prosper in our midst, using our own technology. We must be alert and aware of numerous growing cyberthreats that are all around us. From using your home Wi-Fi network to trusting your baby monitor, we are all in danger of becoming victims of identity theft and potentially much, much worse.
Our way of life is in danger. Experts use the term "Internet of Things" (or IoT for short) to denote the connectivity of virtually all new devices. Kitchen appliances, TVs, new utility (electric and gas) meters and even your automobiles are all connecting to the Net. While there are sometimes a few benefits attributed to this connectivity, virtually every device connected to the Internet has already been, or soon will be, compromised. This means that "bad guy" hackers will have control over many areas of your life.
Like the famous story of the Trojan Horse that allowed enemies to enter Troy through a supposed gift, malware and backdoors to your sensitive and private data come into your life via new personal technology. This growing cybermenace must be stopped. Recently a university was even attacked via "smart lightbulbs" and other IoT devices that were taken over.
Sadly, the bad guys far outnumber the good guys online. There is little that we can do today beyond warning you to not purchase or install "smart devices." These IoT devices are actually neither smart to implement nor safe to use.
Many of you have likely heard about Edward Snowden and his revelations. Just this week, we learned how the government was doing something far worse with our connected devices. Through the release of documents from WikiLeaks, we learned that the CIA has the ability to monitor and control virtually every connected device on the planet. There is almost nothing that you can do to protect your privacy if you use IoT devices.
I have seen the latest examples from the RSA security conference in San Francisco, and the demonstrations speak for themselves. Watch and learn how your data is at risk from hackers. Put simply, IoT is neither smart nor safe for our cities or our homes. If you want to stop a government- and private-sector surveillance, do not use these connected devices.
In the future, we will hopefully see heavy government regulation and more end-user control returning for these IoT devices. But for now, I warn you to do your homework and understand that you must protect your family and community from the Internet of Things.
There is hope for tomorrow, but only if you are truly cybersmart and stop IoT in its tracks.
Answers, Please: Is There a Third Way?
Given these two extremes represented in the two very different speeches, there are no easy answers or compromises.
With my cybersecurity colleagues around the world, I do worry (a lot) about IoT and the cyberimplications. Many smart devices, like home smart meters, are installed without an option for consumers to opt out. The new benefits are touted, but rarely do we hear about cybersecurity protections put in place — unless there’s a data breach. Recently I addressed the question: How secure is our smart grid?
Is there a potential third way? I think so. Here are three things to consider.
First, security pros can’t "just say no" to all IoT projects or "smart device" implementations.
This discussion brings me back to 2004-2006 all over again. The topic back then was Wi-Fi, and as Michigan’s CISO, I initially opposed the enterprise Wi-Fi implementation project — and almost got fired.
That career episode taught me (the hard way) that opposing new technology innovation is a major mistake. I now believe that security history is repeating itself with IoT. You can learn more about what I mean by “history repeating itself,” by reading this article.
Sure, the stakes are higher this time with IoT. The situation has vastly changed since 2006, but the same ‘us versus them’ patterns have emerged with cloud computing, BYOD and now IoT security. Nevertheless, the IoT boat has left the dock. There is no going back.
Sadly, in general, security pros are again becoming "Dr. No" for most IoT product announcements. No doubt, the depth and breadth of the connectivity stretches well beyond anything that was happening more than a decade ago. The stakes are higher, but be careful before you veto projects.
Second, watch out for simple "all or nothing" answers. Realize that the "Internet of Things" is the new buzzword for almost everything that can connect with anything else. This means there will be good, and bad and ugly stories under the IoT banner. The pendulum will swing both ways.
We know that the answers will be slow and hard to come by. We can only secure one device at a time — or not. The acceptance of IoT will happen in smaller chunks, and this will become thousands of unique situations — just as “the cloud” really includes thousands of different products, solutions, networks and vendors.
There is plenty of hype and aggressive marketing that oversells IoT benefits and also articles that encourage security pros to "just say no" to all IoT. Be ready for much more of both - but take the opportunity to become the trusted voice with workable solutions.
Third (and last for this blog), stay engaged. Workable IoT answers that are secure will come from somewhere between the extremes. They will need to adapt to new cyberthreats and other emerging risks. What works today may not work tomorrow. Security and technology pros need to be bringing alternatives along with the pros/cons.
As President Theodore Roosevelt said in 1910: “It is not the critic who counts; not the man who points out how the strong man stumbles, or where the doer of deeds could have done them better. The credit belongs to the man who is actually in the arena, whose face is marred by dust and sweat and blood; who strives valiantly; who errs, who comes short again and again, because there is no effort without error and shortcoming; but who does actually strive to do the deeds; who knows great enthusiasms, the great devotions; who spends himself in a worthy cause; who at the best knows in the end the triumph of high achievement, and who at the worst, if he fails, at least fails while daring greatly, so that his place shall never be with those cold and timid souls who neither know victory nor defeat.”