CAMBRIDGE, Mass. -- While IT professionals are asking how to secure devices, networks, and platforms, policy makers are asking how to secure data and privacy. The Internet of Things (IoT) and the Security of Things (SecT) share the goal of allowing innovation to flourish , but are developers as concerned with securing data and devices?
Policy makers, academics, and innovators came together last week to discuss “Security, Privacy and the IoT: A Policy Perspective” at the second annual Security of Things forum hosted by The Security Ledger and Christian Science Monitor Passcode in Cambridge, Mass.
Julie Brill, commissioner, Federal Trade Commission (FTC), said “The state of things in Washington around policy for IoT is a schizophrenic approach.” Brill recognized the opportunity for improving lives in terms of health and transportation, but also noted that there are privacy concerns that need to be addressed.
“Everyone wants to ensure that there is the opportunity for innovation to flourish, but there is also a desire to ensure the intimate collection of information is protected,” Brill said. For the FTC, the trick to creating policy is that they have to take an approach that allows for continued development and invention but also provides for the security of data and the security of privacy.
“Job number one,” Brill said, “is the security of privacy.” Referencing a 2014 study by Hewlett Packard, Brill noted that 90 percent of connected devices are collecting personal information and 70 percent of that information flows over unencrypted networks.
Because privacy is important, Brill said, “We need to figure out how to deal with security issues when addressing privacy issues.” Patching vulnerabilities doesn’t necessarily make a device or the data it collects more secure.
For larger companies, the idea of pushing through patches might not be an economic burden, but for startups or smaller developers that find vulnerabilities, pushing through patches can be costly. Brill noted, “They are going to worry about patching.” Instead, they might release a newer version, but that earlier version with the vulnerability is still insecure.
“The answer is not IoT legislation,” said Brill. “We need data security legislation."
Peter Lefkowitz, chief privacy and data protection counsel and chief privacy officer, GE agreed. “From a corporate perspective, security is job one.”
For GE, which has come out with everything from light bulbs to wind turbines and connected medical devices, Lefkowitz recognized, “The FDA came out with guidelines for medical devices, and god help the company that doesn’t follow them.”
The larger and more important message for Lefkowitz is to make sure that there is an understanding of the value and impact of connected devices. “These are incredible areas of development for society, and there is a much more complicated discussion to make sure we get it right,” said Lefkowitz.
Sign up for Computerworld eNewsletters.