Tony Sager, a 30-plus-year National Security Agency information assurance expert, has a new mission: to identify ways to help mitigate the cyberthreats posed by the Internet of Things, those billions upon billions of unmanned devices connected to the Internet.
Since his retirement in 2012 as chief operating officer of the NSA's information assurance directorate, Sager has focused on getting organizations to adopt cybersecurity best practices. More recently, he has begun to look at the vulnerabilities presented by the Internet of Things as the chief technologist of the Council on Cybersecurity, a not-for-profit group that promotes practices to assure a safe and open Internet.
There's no reason to take 15 years to recreate the same kind of model for Internet devices.
What makes many devices attached to the Internet such a threat is that most of them have not been designed to account for information security. That's because many of these devices - such as industrial components, medical devices, home appliances and even auto parts - weren't connected to the Internet until recently.
Not on the Radar
Sager says many device manufactures don't incorporate network security in the design of their devices because it's not part of the processes they go through to get their products certified. Simply, for many manufacturers, security isn't even on their radar. Take, for example, a medical device that feeds information about a patient to a computer over a network. The device goes through rigorous certification processes to assure it keeps a patient healthy, but information security isn't necessarily a top-of-mind factor for whether the device can function as its designers intend. Sager says that kind of thinking must change.
But IT didn't rank security as a top priority, either, until the turn of the century, with the rapid growth of the Internet. And, Sager asks, why reinvent the wheel for device manufacturers? These companies can turn to processes IT has used for nearly a generation to safeguard their products. "There's no reason to take 15 years to recreate the same kind of model for Internet devices," he says. "We ought to figure out a way to get there more quickly by turning to people who have a lot of experience with this."
Sager says device manufacturers can turn to the Mitre Corp., which hosts a standard known as Common Vulnerabilities and Exposures, or CVE, a dictionary of common names for publicly known information security vulnerabilities launched in 1999. IT manufacturers use CVE to help identify vulnerabilities to architect security into their products. Device manufacturers can do the same.
A Role for ISACs
The former NSA official also sees industry ISACs - information sharing and analysis centers - playing a key role in helping device manufacturers secure their products. "Communities get together to share information; device manufacturers could piggy back off of that," he says.
Sager specifically cites the Financial Services-ISAC. "The finance sector is considered the shining class, and they buy lots of gizmos," he says. "They could become part of the conversation bringing flaws they find to the attention of [device] manufacturers, establish best practices. You can play off the existing infrastructure that's been built up over the past umpteen years."
With more devices being connected to the Internet, should regulators consider requiring manufacturers to incorporate security into the products they approve? "A lot of folks are grappling with this," Sager says. "Manufacturers are not so anxious for oversight, regulations. Should it be voluntary or mandatory? Everyone is still scratching their head, trying to figure this out."
What ideas do you have to offer device manufacturers for how to do a better job of securing their products? Share your thoughts below.