At the IoTNext event in Bengaluru, security industry experts reiterate that there is no law to protect consumers against digital theft and stress on the pressing need to create a legal framework.
The internet today is like ancient Roman cities in the 4th century AD, which could never be protected from raiders who pillaged them at will. The auxiliary Roman forces could never save their cities against these barbaric hordes because the main Roman force was always engaged elsewhere, protecting large cities like Ravenna and Byzantium.
This is the state of security in today's world. Everyone on the internet is open to be raided; their data stolen by hackers. So except for large businesses that spend tons on network security, smaller ones do not understand how to secure themselves in the world of multiple devices.
“Let us be frank, the emperor is naked and that is how we see the security ecosystem for the IoT industry,” said Arvind Tiwary, founder of SangEnnovate.
Speaking at the IoTNext event organised by the IESA and the Government of Karnataka in Bengaluru, he added that there were 13 security standards bodies globally, but none of them looked at the damage caused by data theft to lives.
Gulshan Rai, Chief Information Security Officer, the government of India, said: “The problem in the world of the internet is that no one knows the attributes of a threat. There has to be a global consortium to fight global digital attacks. Today finding IP addresses and neutralising them is not the answer; people who attack others digitally need to be prosecuted.”
Tiwary, of SangEnnovate, agreed. “IoT is today the internet of hacks. Deloitte got hacked, CIA got hacked and everyone is vulnerable to hacks.”
The complexity of security as a business
Cybersecurity is like building new technology architecture. The complexity depends on technology, the data that needs to be secure and the legal framework that prevails in each nation. The challenge for each nation is to find out the origin of the attack and go after those individuals. They tackle issues of security; legal aspects do not exist. The law does not know how to capture cross-border internet security breaches. Unfortunately, organisations are held responsible for security.
“If a device is broken into, people blame the device company for the theft. Security is not the problem of the company that sold the product, it is in the jurisprudence of law,” Tiwary said.
The problem again comes down to systems, where individuals are not protected by law because the police do not know how to handle digital crime when attacks happen from global centres. So, individuals should take things in their own hands where they can contact an external agency to protect them from these digital threats. In the world of IOT, one has to be absolutely sure on how data is secured.
Tiwary said: “You don't want an anonymous person hacking into your IoT device and switching on the geyser. How can we catch and prosecute such a person?” He added that protecting an IoT network should be a country-wide and worldwide exercise.
Bikash Barai, co-founder of the CISO Platform and also part of the panel, said all activity needs to be logged in on a real-time basis and correlated to attribute the threat.
“How do you do forensic analyses to shut global servers and how do you trap hackers, these are some of the questions that policymakers ask themselves,” Bikash said.
The ecosystem of hacking
Dr Phil Polstra, author of the book Linux Forensics, was at the IOT Next Summit and said the challenges today are to understand how the entire ecosystem of hacking works and the technologies that they (the hackers) use are complex machines and algorithms. He said it is a world where people engineer these attacks and that it is from this perspective that digital security needs to be addressed.
Perhaps understanding criminal minds and tracking digital trails is the key to figure out how hackers work.
“Technology boxes that offer security are not going to solve the problem. It is a human engineering problem and devices are prone to attacks because of human planning,” Polstra said.
Now, this is the heart of the problem. You have to look no further than the Chrysler problem in the country. A bunch of white hats – the ethical hackers – who hack systems to tell corporates there are vulnerabilities once hacked into Chrysler’s Jeep brand’s ECUs to tell them how they can get in and control the entire car. Charlie Miller and Chris Milasek demonstrated that the every Jeep produced would boot up the telematics unit with a WiFi password and how it could be hacked. They showed the world that they could crash cars and do whatever they wanted with them. For example, they could switch off the engine. For a hacker, an unsecure WiFi router or network means they can get into the network by figuring out the source code and cracking the password.
So how does one prepare for these threats if they are a small company?
Secure every layer to stay safe
In the IoT world, only four things and their architecture need to be mapped – the sensors, gateways, applications and the cloud.
“How do I map security is the basic question and one must look at securing every layer before launching a product,” said Bikash, of the CISO Platform.
The problem, however, is with home devices and the network they operate under.
Bhaskar Rao, the Founder of Technosphere, said: “The number of devices in the world is so many that the threats are real. Today everything has moved to the smartphone, from healthcare to what we eat, it’s all on the cloud,”
Worldwide spending on information security products and services will reach $86.4 billion in 2017, an increase of 7 percent over 2016, with the spending expected to increase to $93 billion in 2018, as per Gartner’s latest forecast.
Sid Deshpande, Principal Research Analyst at Gartner, said: “Rising awareness among CEOs and boards of directors about the business impact of security incidents and an evolving regulatory landscape have led to continued spending on security products and services.”
Within the infrastructure protection segment, Gartner forecasts fast growth in the security testing market (albeit from a small base) due to continued data breaches and growing demands for application security testing as part of DevOps. Spending on emerging application security testing tools, particularly interactive application security testing (IAST), will contribute to the growth of this segment through 2021.
Unfortunately, the IOT world is rife with data breaches. A standard on security and a legal framework to protect consumers is something that remains the need of the hour in our country. Until then, use IoT products at your own risk and protect your data with third-party security providers.