[1]Bruce Schneier: You want real IoT security? Have Uncle Sam start
  putting boots to asses:

Infosec's cool uncle says to hell with the carrot

  Any sort of lasting security standard in IoT devices may only happen if
  governments start doling out stiff penalties.

  So said author and security guru Bruce Schneier, who argued during a
  panel discussion at the [2]Aspen Cyber Summit that without regulation,
  there is little hope the companies hooking their products up to the
  internet will implement proper security protections.

  "Looking at every other industry, we don't get security unless it is
  done by the government," Schneier said.

  "I challenge you to find an industry in the last 100 years that has
  improved security without being told [to do so] by the government."

  Schneier went on to point out that, as it stands, companies have little
  reason to implement safeguards into their products, while consumers
  aren't interested in reading up about appliance vendors' security
  policies.

  "I don't think it is going to be the market," Schneier argued. "I don't
  think people are going to say I'm going to choose my refrigerator based
  on the number of unwanted features that are in the device."

  Schneier is not alone in his assessment either. Fellow panellist
  Johnson & Johnson CISO Marene Allison noted that manufacturers have
  nothing akin to a bill of materials for their IP stacks, so even if
  customers want to know how their products and data are secured, they're
  left in the dark.

  "Most of the stuff out there, even as a security professional, I have
  to ask myself, what do they mean?" Allison said.

  That isn't to say that this is simply a matter of manufacturers being
  careless. Even if vendors want to do right by data security, a number
  of logistical hurdles will arise both short and long term.

  Allison and Schneier agreed that simply trying to port over the data
  security policies and practices from the IT sector won't work, thanks
  to the dramatically different time scales that both industrial and
  consumer IoT appliances tend to have.

  "Manufacturers do not change all the IT out every five years," Allison
  noted. "You are looking at a factory having a 25- to 45-year lifespan."

  Support will also be an issue for IoT appliances, many of which go
  decades between replacement.

  "The lifespan for consumer goods is much more than our phones and
  computers, this is a very different way of maintaining lifecycle,"
  Schneier said.

  "We have no way of maintaining consumer software for 40 years."

  Ultimately, addressing the IoT security question may need to be
  spearheaded by the government, but, as the panelists noted, any
  long-term solution will require a shift in culture and perception from
  manufacturers, retailers and consumers. ®

  Sponsored: [3]Following Bottomline's journey to the Hybrid Cloud

  (Via [4]The Register - Security)
  Also on:

  [5]Twitter
    __________________________________________________________________

  My original entry is here: [6]Bruce Schneier: You want real IoT
  security? Have Uncle Sam start putting boots to asses. It posted Mon,
  19 Nov 2018 11:24:43 +0000.
  Filed under: business,

References

  1. http://go.theregister.com/feed/www.theregister.co.uk/2018/11/09/bruce_schneier_want_real_iot_security_get_the_government_to_put_boots_to_asses/
  2. https://www.aspencybersummit.org/
  3. https://go.theregister.co.uk/tl/1787/-6625/following-bottomlines-journey-to-the-hybrid-cloud?td=wptl1787
  4. https://www.theregister.co.uk/security/headlines.atom
  5. https://twitter.com/prjorgensen/status/1064480511018577920
  6. https://www.prjorgensen.com/?p=2325

You are viewing proxied material from sdf.org. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.