Here's what I’m reading this week:
Senator Warner on Securing IoT: Senator Warner has been a loud voice on a range of cybersecurity issues, and this morning he weighed in on what we need to do to secure IoT. He raises a number of issues – the OpEd is a worthwhile read – but two in particular stood out to me.
First, he highlighted the need for a meaningful rating system for consumers to assess the security risk inherent in IoT products that they purchase. This is not a new idea (Sen. Warner actually links to a new project set up by the well-known hacker Mudge to create exactly such a rating system), but it is nevertheless an essential one. The more attention paid to this effort, and the more support we can generate for efforts like the Cyber Independent Testing Lab, the better. Meaningful quantification of risk is a problem across IT investment, but nowhere is the challenge more acute than with consumer purchases. Alleviating this uncertainty is an essential first step to putting more pressure on industry to build more secure systems.
Second, Sen. Warner emphasizes a particular challenge that was revealed by last month’s WannaCry ransomware. The primary and best response to the SMB vulnerability underlying WannaCry was patching, and one of the primary narratives coming out of that incident was that companies needed to patch faster to stay ahead of threats. Unfortunately, patching today is complex, cumbersome, and risky – this is why two months of lead time wasn’t enough for many organizations to patch ahead of WannaCry. Warner highlights this challenge in particular, and calls for greater focus by US policy makers and innovators on solving it.
The Connected Car as a Mobile Data Center: The NYT had an interesting piece yesterday about the emergence of modern cars as highly targetable mobile data centers. The story’s prime message is that car companies are investing more and more in computer security experts, and we should expect the investment and threat to only grow. To make its point, the article notes that today, an average car has more than 100 million lines of code – with somewhere between 15 and 50 defects per 1,000 lines, that’s a lot of attack surface.
But the most interesting part of this article to me isn’t that cars are now essentially computers with wheels. The most interesting part is a throwaway sentence in the setup of the article: “Twenty years ago, cars had, on average, one million lines of code.” We talk today about the computerized car as if it is a cutting edge phenomenon, but we forget that cars have been computers for two decades. As any futurist might tell you – the future isn’t coming; it’s already here. You just have to know where to look.
I'm reading: "Why Car Companies Are Hiring Computer Security Experts."
More connected cameras, more Chinese companies, more hard-coded passwords. You might have thought we’d learned our lesson from the Mirai botnet, but apparently not.
HavenCo in Space (space...space...space). A self-proclaimed “space nation” (“Asgardia”) is planning to launch a satellite later this year to offer a new-new version of data storage beyond the reach of government regulation. In case you’re wondering, this is pretty much exactly like the early-2000s attempt by HavenCo (based on a WWII anti-aircraft platform in international waters off the coast of Britain) to offer the same service.
Hiding C&C URLs in Britney Spears Instagram Posts. Because, if you were a Russian state-sponsored hacker, where else would you hide your encrypted communications?