When the father of the internet speaks, people tend to listen. My ears certainly perked up when listening to Stacey Higginbotham’s Internet of Things (IoT) podcast when her guest, Vint Cerf, brought up escrow arrangements as a way to ensure the credibility and safety of IoT devices.
But, first, let’s back up. Cerf defines the IoT broadly as “anything that’s programmable, and perhaps something that also has communication capability.” This extends beyond appliances in your house, your office, in your car, or on your person. It’s really any “communicating software that takes in real-world information and has an effect on the real world.”
While the IoT certainly has applicability for consumers with smart homes and autonomous vehicles, B2B applications will be even more widespread. The IoT will enable digital transformation in in manufacturing, healthcare, agriculture, energy, and other industries. In fact, Bain predicts B2B IoT segments will generate more than $300 billion annually by 2020, while consumer applications will generate $150 billion by 2020.
Cerf explains, “People are rushing to build products that have these characteristics – communication, computation, and programmability. But, they’re not paying as much attention to access control, security, privacy, safety, and autonomy.” As a result, the rush to IoT could be compromising safety and security.
IoT Security and Privacy Issues
It’s critical to put security and privacy measures in place from the outset because cybercriminals see the opportunity for profit with the IoT, just as legitimate businesses do. As witnessed with the Dyn cyberattack in 2016, a botnet can be built from hacked IoT devices – such as home routers and DVRs – exploiting the fact that default passwords were never changed.
We’ve also seen massive data breaches in 2017 including Equifax, Blue Cross/Blue Shield, FAFSA, the SEC, Deloitte, Hyatt hotels, Uber, eBay and other corporate giants. Organizations must be acutely aware of security and privacy issues as their connected devices share our financial and confidential personal information. Often, IoT data is uploaded into the cloud and shared between devices, which means a greater loss of control, and even more vulnerability. That’s why on the B2B side, protecting proprietary data and intellectual property is viewed as one of the greatest challenges enterprises must meet in terms of smart, connected products.
As reported in this Forbes article, market research firm Forrester outlines the following challenges to achieving a secure IoT:
- Many IoT devices lack basic security requirements;
- There is a plethora of IoT standards and protocols, which creates security blind spots;
- The scale and scope of IoT deployments hinder visibility into security incidents;
- There is a lack of clarity of responsibility regarding privacy and security.
One of the issues is that at present, no one is held responsible. This IoT Agenda article asks, “Who is incentivized to secure IoT? Should the companies producing connected chips be responsible for enabling secure devices? Should responsibility fall to the manufacturer of the devices, like the folks who make thermostats or cars? Or do we need government regulation to set the baseline for what is acceptable?”
How could Escrow Help?
So back to Stacey Higginbotham and Vint Cerf … They discuss the potential for IoT regulation, incentives for doing the right thing, and the role government should play. As people increasingly rely on devices full of software, Cerf points out the need for a Cyber-Underwriters Laboratory (which, in fact, is in the works as outlined in this Network World article.) But, as Higginbotham comments, even if most vendors complied with these standards, there is an international effect, for instance, many of the webcams in the Dyn attack were built in China.
Cerf offers a possible solution: “Suppose you couldn’t sell a product unless you agree to reveal the source code to some party who agrees to keep it private, but still has the credibility to have said we ran it through a series of tests, we did analyses, and we believe it to be safe.”
The third party that Cerf refers to could be an escrow agent. Today, we rely on technology escrow agents, such as Iron Mountain, to safeguard source code so that both the buyer and seller of the technology can rely on a private, safe version of that technology in case it is ever needed in the event of bankruptcy, business failure, or other lack of support.
Cerf brings this situation up in terms of IoT devices. “There are serious supply chain questions that worry me,” he comments. “An example is someone building a device, throwing in a random piece of source operating system code and not caring whether it will ever be maintained or not, [because they] just want to sell the devices.” The vendor may not have a commitment to maintaining the IoT device over a period of time, although the people who buy them have the expectation that they’re going to work for a period of a decade or more. He continues, “What if the company goes out of business within six months because it wasn’t a popular product, yet you want to keep it and use it? Maybe there are escrow arrangements with regard to the source code. I think there’s room for quite a bit of domestic and possibly international exploration of agreements.”
As someone who has worked in the technology escrow industry for 30 years – I know it is a proven solution to safeguard source code, data, and intellectual property. As technology evolves, it is interesting to see how this tried and true solution may take on a new wrinkle protecting the IoT.