The notion goes one step further than Secure by Default by challenging manufacturers to make their products safe – all of the time – rather than pass this responsibility to the end user.
Security journalist Frank Gardner OBE introduced the panel by saying that their chat before the session had scared him somewhat. It quickly became apparent why.
First to set out the slightly terrifying IoT landscape was Andrew Sieradzki, Director of Security and Technology, BuroHappold Engineering. Sieradzki described how each of us ‘oozes’ data and that’s against a landscape of 17 billion devices connected to internet now and 25 billion by 2020.
“We’ve put devices in our homes that are always listening to us – but that’s OK because it’s entertainment”
He said that design focuses on the ‘today’ of a product rather than the ‘yesterday’ or the ‘tomorrow’ of the product. In other words how secure were the measures and products that made the product itself secure, along the supply chain as well at at the final stage (the yesterday) and what happens to all the data at the end of a product’s life (the tomorrow)?
Situations where baby monitors are hacked and smart TV manufacturers recommend users to run antivirus (“who does that?” Sieradzki asked) are ones to be avoided and the onus is on the manufacturers to achieve that.
Mike Gillespie, Vice President, Centre for Strategic Cyberspace + International Studies (CSCIS), asked the audience to cast their mind back 20 years to a time before Facebook and ask themselves if they would have countenanced the privacy invasion that was to come. “Yet we have put devices in our homes that are always listening to us, ‘but that’s OK because it’s entertainment’.”
Gillespie outlined a landscape of vulnerability: stolen data from CCTVs (“it’s not closed circuit, it’s open circuit”); the fact that ten thousand Amazon employees are listening to our conversations on Alexa; that our smartphones are listening to us 24/7 and even our smart meters can be compromised to gain important information about us. “We want to protect the privacy of the individual but we’re happily inviting tech into our lives,” he said.
One particular example Gillespie gave was a smart kettle, with a wifi password, that is discoverable on the internet. Enough of these could bring down the national grid, he said, adding “you have just weaponised a kettle.”
Both Andrew Sieradzki (who revealed that he switches off his wifi every evening) and Mike Gillespie suggested that we might have done things differently if we were inventing the internet again. “You would have thought that we would have worked out some rules…we don’t know how to play in that playground safely,” said Sieradzki, who mentioned that clients are demanding ‘air gap solutions’ to stay secure.
Gillespie added that it should not be acceptable that security is the responsibility of the end user. “Manufacturers must take accountability – you shouldn’t be allowed to sell a product that connects to the internet that is insecure. Why is a manufacturer expecting you to remember to change a password? They need to make it as easy as possible for the end-user.”
Buzz Coates, IP CCTV Business Development Manager, Norbain SD gave a very important example of manufacturers coming together for better standards and referenced the five global surveillance firms (already previously reported as Axis, Bosch, Hanhwa, HikVision and Milestone Systems) who have worked with Surveillance Camera Commissioner, Tony Porter to develop a self-certification scheme. This scheme allows manufacturers to assess their systems for compliance. It also means that they can apply for the commissioner’s secure-by-default certification mark.
In terms of the wider adoption of Security by Design from manufacturers, barriers mentioned included ‘cost’, ‘laziness’, ‘ignorance’, ‘the pace of technological change’ and ‘people wanting things easy’.
Cybersecurity was likened by a number of the panel to a padlock, one that should at least be able to be locked and unlocked. “We have padlocks that don’t lock” observed Mark Gillespie. He conceded that no system would be perfect, however.
“Everything can be hacked” said Gillespie, “it’s just a matter of how long – anyone saying otherwise is selling you a unicorn. In the thirty years I have been in security we have never once been one step ahead of the bad guys, everything we have introduced has been in response to them and that’s probably the way it’s always going to be.”
