Safety and security standards for the Internet of Things (IoT) can’t come soon enough for Phil Kernick, founder and chief technology officer of information security consultancy CQR.
“I’m radical in this area,” Kernick told journalists in Sydney last week. “If you look at any industry that’s new, it goes unregulated until it gets to the point where it’s crazy, and then government steps in and regulates it.
“In the 70s, with the car industry in the US, it was exactly that,” he said.
Kernick was referring to the dramatic changes in the US automotive industry that followed, eventually, the publication in 1965 of political activist Ralph Nader’s book Unsafe at Any Speed. Nader’s work eventually led to the mandatory fitting of seat belts, designing the bodies of cars to reduce injury to pedestrians, and even measures to reduce air pollution.
The industry resisted these changes, of course, because in the 1960s it was making a bundle as affluent Americans bought the latest in mass-produced automotive fashions. General Motors even launched a campaign of harassment and intimidation against Nader.
The great age of railway construction was likewise riddled with decades of disasters before the introduction of effective signalling and fail-safe brakes.
“We say we don’t want to stop innovation, we want to build this market, we think it’s useful. Cars and trains [were] exactly this,” Kernick said, and IoT will be the same.
So we’ll need to kill a few people first?
“Unfortunately that’s what will happen,” Kernick said, in reply to exactly that question.
Kernick is particularly concerned about medtech and self-driving cars where, as he put it, “fundamentally there aren’t any software assurances.”
Harsh. But consider that computer software counts as “goods” under the Australian Consumer Law, and must therefore be “fit for purpose” and otherwise meet consumer guarantees, but only when the software is “of a kind ordinarily acquired for personal, domestic, or household use or consumption”. Is software embedded in a car or medical device a consumer product?
Traditionally, computer software licences claim to be exempt from fitness for purpose requirements. Spreadsheet software doesn’t even guarantee that it’ll add up numbers correctly. With the train wreck of IoT looming, maybe that should change.
“There is a point at which we have to start [saying] that the providers of software have a duty of care for the products they provide to be fit for purpose,” Kernick said.
“OK, for most stuff, fine. But when it’s embedded pacemakers, when it’s self-driving cars … there are some verticals where we need to go secure, not fast.”
People are attempting to change this. The Internet of Things Alliance Australia (IoTAA) is designing a security framework for Australia’s IoT ecosystem. This builds on the idea of a Cyber Kangaroo rating proposed around this time last year, which in turn builds on the security star rating proposal from Andrew Jamieson in May 2016.
All these proposals have one thing in common: They’re an attempt to turn security and safety decisions into a commercial problem, and therefore one that commercial organisations need to act upon.
That’s great, but it only gets us partway there. Losing a bit of share in such a rapidly expanding market won’t be enough of an incentive.
Like cars and trains before it, the Internet of Deadly Things will need to be savaged by the teeth of government regulation to make it truly safe.