The IoT market is an unstoppable snowball rolling down the IT mountain and growing immensely with each turn. Yet, some argue IoT alternatives, like TransitX, may be viable and moreover capable of obfuscating some of the threats posed to traditional IoT. While some may argue the contrary, the notion of IoT alternatives in a competitive landscape seems remarkably presumptuous to me – the IoT train is speeding away so get on board or get out of the way. Collective markets relying on interconnected IoT devices will spend in the trillions. As a whole, the IoT market is easily approaching $20 trillion by 2020 with 30 billion devices, 3.5 per human, and IoT impacting nearly 6% of the global economy.
Conjecture that alternatives to IoT will provide improved cybersecurity is merely marketing hype. If bad actors, now organized and including nation states, can break into sensitive American agencies, you’d better believe companies like TransitX – by somehow avoiding IoT – is still very much at risk of attack. When there’s a digital pathway there’s a way to hack it. Moreover, the shift is on to reinforce IoT cybersecurity – of the $115 billion cybersecurity market, IoT is projected to represent 25% of that spend by 2020. Just like the first Indiana Jones, companies marketing IoT-safe solutions are digging in the wrong place.
IoT dangers are real, present, and astoundingly frightening. In fact, the capacity to hack and attack has grown at a staggering rate simply because of the Internet of Things. Prolific applications, devices, and systems are communicating without inquiry into, verification or assurance of cybersecurity risk. Nobody can effectively assess the cybersecurity risk of organizations, third parties, cyber insurance, or systems/devices/IoThings & their transactions. I no longer lie awake worrying about the traditional hacker breaking into our customers’ networks. No, I worry about the collective teams of attackers – who share technology, breach-data, know-how, and even the spoils from their conquests – owning our customers through their thermostats, ATMs, or MRI devices. Don’t forget, compromised DVRs were used to take down the Internet on the U.S. East Coast not long ago. Yes, pacemakers can be hacked. Yes self-driving cars are susceptible to attack – guess what, so are most human-operated cars made in the last decade. Electric kettles, smart locks, video cameras, all manner of medical devices, fridges, washing machines, televisions … all can be hacked. Imagine a high-value physical target being watched, listened to, and potentially harmed via the machines we’ve historically relied on.
Policy and legislation could certainly help. It damn well better. I’m talking at the national level – at state and local levels we are typically miles behind. Currently, the average spend on cybersecurity is 3-5% of an organization’s IT budget, very rarely even factoring in IoT. How can something that is now a regular part of Board-level discussions garner so little of an organization’s spend. It either is a priority or it isn’t. Simply look at Equifax’s spend on cybersecurity and you’ll see to them it certainly was not. Now, exponentially increase the reach of an organization’s connected tentacles through the jungle of as-yet-unknown IoT devices and you can bet this “Wild West” is in desperate need of regulation. We need legislative policy governing a Digital Geneva Convention, data breach reporting norms and associated punitive action, and some measure of risk measurement for IoT.
Senators Cory Gardner (R-Colo.), Charles Schumer (D-NY), John McCain (R-Ariz.), Lindsey Graham (R-S.C.), and Jack Reed (D-R.I.) were all fairly vocal in their hopes to establish a Senate committee aimed at addressing all things cybersecurity, much of this brought to the fore again by Russia’s hacking of our elections. Meanwhile Senator Ron Wyden (D-Ore.) was earlier this year actively pushing for internal controls with respect to cybersecurity and the Senate’s IT infrastructure. Other Congressional leaders are targeting introduction of cybersecurity stipulations in regulation on industries like autonomous vehicles or electric grids, honing in on IoT. While these are all keeping the discussion going, none of them represent a sweeping move to add cybersecurity focused legislation.
The closest maneuvering in this direction is H.R. 584, the Cyber Preparedness Act of 2017, presented by Representative Dan Donovan of New York’s 11th. It passed the House but has been awaiting a vote in the Senate since January. Even if it passes, there is much doubt as to whether or not Trump’s administration has an appetite for heightened cybersecurity measures. Frankly, this Congress has little hope of a bipartisan bill becoming law which simultaneously tackles the concerns of privacy advocates concerned over data sharing with the government and big businesses concerned about regulation and the associated cost. This is before we even begin discussing the cybersecurity implications of IoT. Sarbanes Oxley was the last decent legislation to include regulation of public companies’ handling of cybersecurity. One could only hope that the good Representative John Oxley call for an amendment to his bill adding public reporting of cybersecurity risk and punitive damages for failure to address this risk – with an emphasis on IoT being a part of that equation.
IoT is exploding, its threat is ever present and no alternatives will pave the path to security. Policy, regulation, and a new look on how to secure IoT and transactions are our only means of preservation.